ArcSight & Security · Track 03

How to challenge an ArcSight connector headcount

An ArcSight finding often rests on a connector headcount that was never built to measure live consumption. To challenge an ArcSight connector headcount you replace the vendor registry export with an independent inventory that ties every counted component to a live source, a real environment, and an actual flow of events.

When OpenText presents a connector based finding, the number almost always comes from a single artifact: a registered component list pulled from connector management or the manager configuration. That list is a historical record, not a consumption meter. It remembers every connector ever stood up, including the ones that stopped forwarding events years ago. The task in front of a buyer is to move the conversation off that list and onto evidence the buyer controls.

Why the connector headcount is the soft spot in an ArcSight finding

The audit remedy in the OpenText agreement is unusually heavy. On a finding of noncompliance the licensee is deemed to have acquired licenses at the then current list price, owes back maintenance and support, owes first year maintenance on the new licenses, and reimburses the cost OpenText incurs running the audit. Every one of those charges scales with the unit count. So when the unit is a connector and the count is inflated by dead registrations, the inflation does not add once. It compounds across four separate charges. That is exactly why the connector line repays a careful challenge more than almost any other part of a security finding.

Build the independent inventory first

The challenge does not begin with an argument. It begins with a reconstruction. We build the connector estate from operational data rather than from the registry, and for each registered component we establish three facts. Is it forwarding events inside the measurement window. Which distinct log source does it represent. Which environment does it sit in. A component that fails any of those tests does not belong on a production headcount, and the burden of that demonstration sits with the party that holds the operational data, which is the buyer.

Event flow evidence. Throughput records separate connectors that work from connectors that merely exist in configuration.
Source mapping. Each live connector maps to one real source, which exposes clones and duplicates created during testing or migration.
Environment scope. Production, staging, and lab are separated so non production instances can be removed where the agreement scopes the metric to production.
Failover resolution. A high availability pair is collapsed to the single component actually processing events at any moment.

The mechanic

A registry that reports 600 connectors can resolve to a defensible 380 once retired entries, clones, failover partners, and lab instances are removed. The finding is priced on 600. The reconstruction reprices it on 380.

Put the burden back where it belongs

Auditors present the registry as settled fact and invite the buyer to disprove it line by line under time pressure. That framing is a choice, not a rule. The agreement gives OpenText the right to measure, but the measurement still has to reflect licensed use, and a registry export does not. When you arrive with an inventory that maps live connectors to live sources, the question flips. It is no longer the buyer explaining away a number. It is the vendor explaining why a deregistered or duplicated component should carry list price, back maintenance, and audit cost.

Sequence the challenge inside the notice window

OpenText gives seven days notice before an audit and the right to copy relevant records. That window is where the connector challenge is won or lost. The move is to take over first contact, route everything through a single controlled channel, and decline to hand over a raw registry export without the operational context that explains it. A registry handed over cold becomes the baseline. A registry handed over alongside a reconstruction becomes one input among several, and the weaker one.

A recent engagement

In the banking matter recorded as case file E-03, a combined EPS and connector finding of $6.0M settled at $1.8M, a 70 percent reduction. The connector half of that result came directly from correcting the headcount. Once retired and duplicated components were stripped out and the live estate was mapped to real sources, the count side of the finding fell, and it reinforced the separate work of splitting burst from sustained on the EPS side. The lesson generalises: a connector count is a claim about live consumption, and live consumption is something the buyer can prove better than the vendor can assume.

What a finished challenge looks like

The deliverable is not a complaint, it is a reconciliation. It lists every registered component, marks each as live or artifact, ties each live component to a source and an environment, resolves failover pairs, and arrives at a corrected count that an auditor cannot wave away because it is built from the buyer's own event data. That corrected count is then reconciled against the entitlement and the finding is repriced. Done well, the connector argument is settled on paper before it ever becomes a negotiation.

What the agreement does and does not let the vendor demand

It helps to be precise about what the OpenText agreement actually authorises. OpenText has seven days notice before an audit and the right to copy relevant records. That is a right to inspect, not a right to dictate the interpretation of what it finds. A registry export is a relevant record, so the vendor may copy it, but the conclusion that every line in that export is a licensed, consuming connector is an inference, and inferences are contestable. The buyer is entitled to put forward better evidence of actual consumption, and event flow data is better evidence than a configuration list by any reasonable standard. Keeping that distinction clear, between what the vendor may collect and what the vendor may conclude, is half the battle in a connector dispute.

Common objections and how the evidence answers them

Auditors raise predictable objections to a reconstructed count, and each has a documented answer. The objection that a connector could be reactivated at any time is answered by the measurement window, which prices licensed use during a defined period, not hypothetical future use. The objection that a clone might process distinct events is answered by source mapping, which shows the clone forwarding the same source as its original. The objection that lab connectors still touch the platform is answered by the scope clause, where the metric is defined against production. None of these answers is rhetorical. Each is a line in the reconstruction backed by the buyer operational record, which is why a documented inventory ends the argument that an undocumented assertion would only prolong.

Facing an inflated ArcSight connector count?

We reconstruct the live connector estate before any vendor script runs, then reprice the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.

Get The Number Down →

Related field notes

These notes from the ArcSight and Security audit defense cluster go deeper on connector mechanics. Each links back to the complete OpenText audit defense playbook for 2026.

If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.