HomeArticles › Sentinel versus ArcSight Logger licensing
ArcSight & Security · Track 03

Sentinel versus ArcSight Logger licensing context

Two log management products, two acquisition histories, two metric traditions. Sentinel versus ArcSight Logger licensing context matters in an audit because the two are measured against different units, and a finding that borrows the wrong unit, or merges both estates into one count, inflates against an entitlement that was never written that way.

Both Sentinel and ArcSight Logger reached the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and both are governed by Additional License Authorizations rather than the OpenText EULA. They are often deployed side by side, sometimes with overlapping data feeds, and an audit that does not separate them cleanly tends to read each at its widest. The defensive starting point is to treat them as two distinct license positions, each held to its own authorization, before a single number is discussed.

Why the two products are measured differently

ArcSight Logger is a log collection and retention product, and its licensing has historically attached to data volume, expressed as a quantity ingested or stored over a defined period, or to the storage footprint itself. Sentinel originated in the NetIQ identity and security line and carries its own measurement heritage, commonly attaching to event rate or to a managed data volume depending on the edition and the agreement. The point is not which metric is harder. The point is that the unit governing your Logger entitlement is not automatically the unit governing your Sentinel entitlement, and an audit that applies one metric uniformly across both is measuring something other than your license.

The mechanic

Sentinel and Logger entered the estate from different product families and carry different metrics. A finding that applies a single unit to both, or that double counts data flowing through both, is not measuring two separate entitlements. It is inventing a combined one.

Where the combined finding inflates

The most common inflation in a mixed Sentinel and Logger environment is double counting. Events frequently flow into both products, with Logger retaining raw logs for long term storage while Sentinel correlates a subset for active monitoring. An audit that sums the volume seen by Logger and the volume seen by Sentinel as though they were independent loads counts the same data twice. The corrective is to map the data flow and establish what each product actually holds under its own metric, rather than accepting an additive total that no single license was ever sized against.

Reconstruct each entitlement against its own authorization

The four Rs apply with one product specific emphasis: reconstruct twice, once per product. Respond by taking the seven day notice window and routing all data requests through a single controlled channel. Reconstruct the effective position for Logger against the volume or storage metric its authorization names, and reconstruct Sentinel separately against the event or volume metric its authorization names. Rebut the finding line by line, separating the two estates and removing any double counted feeds. Resolve on terms that fix each metric unambiguously so the next measurement starts from two settled definitions rather than one blended assumption.

A recent engagement

In a recent engagement an environment running both products had been priced on a volume total that effectively counted the shared event stream twice, once where Logger retained it and once where Sentinel correlated it. Separating the data flow and holding each product to the metric in its own Additional License Authorization removed the duplication without inventing any new facts about the deployment. The same discipline that splits burst from sustained in an EPS matter splits one product from another here: the finding falls when the count is held to what each license actually measures.

Read the authorization before accepting the unit

With Sentinel and Logger more than most pairings, the temptation is to assume the metrics are interchangeable because the products look similar in a dashboard. They are not. The Additional License Authorizations are where the unit, the edition, and the measurement window are fixed, and those documents predate the combined estate. A finding that paraphrases a single metric across both products, without quoting each authorization, is asking the buyer to accept a blend. The defensive discipline is to insist on the language of each authorization and to reconstruct each position separately. Most of the reduction in a mixed environment comes from establishing that the audit measured a combined load that no individual entitlement was ever written to cover.

Running both Sentinel and ArcSight Logger under one audit?

We separate the two estates, hold each to its own authorization, and remove any double counted data before the finding is repriced. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.

Get The Number Down →

Related field notes

These notes from the ArcSight and Security audit defense cluster cover log management metrics and the wider security portfolio. Each links back to the complete OpenText audit defense playbook for 2026.

If an OpenText or Micro Focus audit notice has landed on your desk, the first seven days carry more weight than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, brought the average finding down by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.