Log Parser Ports

Stellar Cyber sensors require open inbound ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor but you must open the appropriate ports on your firewall. This topic lists the supported log parsers and related details. Log parsers are organized in the following categories:

Also see: Firewall Requirements

Unless otherwise noted, the ports listed are applicable for both UDP and TCP.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

Choosing an Ingestion Port

Sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases, Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process vendor-specific logs in a more detailed manner. If you can identify a more specific port for your log type than port 514, you:

  • Speed up your data ingestion and log parsing, and increase sensor performance, because the sensor already knows the source device

  • Retain the correct log source, because logs received on port 514 have the source set to local when forwarded to the data processor

Use the following as a guide:

  • If the logs are in standard Common Event Format (CEF), Log Event Extended Format (LEEF), or JavaScript Object Notation (JSON) format, forward to the data to the port specific to that standard as listed in Generic Log Parsers.

  • If the logs are in standard Syslog format use the port applicable for that vendor.

  • If the logs are in a specialized format such as a Syslog and regular expression or key: value pairs or csv, use the Vendor-specific ports.

Using the Port Relay Feature to Minimize Open Ports

It's a best practice in Stellar Cyber to send logs to their vendor-specific parsers, when available. In releases previous to 4.3.5, this was accomplished by referring to the list of supported vendor-specific ports, pointing your log sources to that port on the sensor IP address, and opening the port in your firewall.

This approach is still available and can be used. As an alternative, however, you can configure your sensors to accept log traffic on the generic syslog ports of 514 (non-TLS) or 6514 (TLS) and relay that traffic to vendor-specific ports internally based on the source traffic's IP address.

You do this differently depending on the release your sensors are running:

  • For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.

  • For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.

Configuring Port Relay in the CLI ()

You configure the port relay feature for sensors running 4.3.5 using the set logforwarder device-ip command in the sensor CLI. The procedure is as follows:

  1. Find the IP address of your log source.

  2. Use the Log Parser Ports topic to find the parser port for your log source.

  3. Connect to the sensor CLI.

  4. Use the set logforwarder device-ip command to make an entry on the sensor for your log source and the corresponding destination port. The syntax is as follows:

    set logforwarder device-ip <IP Address> parser-port <Integer> ingestion-port <514|6514 default=514>

    So, for example, if you are sending Azure MFA logs from 10.33.5.5 to the sensor, you could either send them directly to port 5528 as you did in previous releases, or you could send them to the standard syslog port of 514 and use the following command on the sensor to relay them internally to 5528:

    set logforwarder device-ip 10.33.5.5 parser-port 5528

    This command tells the sensor to relay logs received on port 514 (the default, which is why it is not explicitly specified in the command above) from 10.33.5.5 to the vendor-specific parser port of 5528 for Azure MFA.

    You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the following command to relay them from 6514 to their vendor-specific parser port of 5544:

    set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514

Notes on Using the Port Relay Feature

Keep in mind the following tips when using the port relay feature:

  • Keep in mind that the sending log source must be on the same subnet as the receiving sensor. There must be no proxy capable of changing the log source IP between the sending log source and the receiving sensor.

  • When you create a port relay entry, the sensor listens for both UDP and TCP traffic from the specified source. You can see this with the show logforwarder port-ingestion command. For example:

  • The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries. You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.

  • You can remove port relay entries using unset logforwarder device-ip <IP Address>.

  • The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it in the show logforwarder port-ingestion output as inactive.

Generic Log Parsers

This table includes all supported generic log parser formats, the required firewall port, device type, and the associated Stellar Cyber index.

Use the msg_origin.source field in the Interflow to find the logs when threat hunting in the specified index.

In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser type (cef, leef).

When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.

Following are the firewall ports to open for generic log formats, along with other useful details.

Standard

Port

msg_origin.source Index Comments
CEF 5143 cef_device_vendor

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

The following vendor records are also indexed in ML IDS / Malware, with the threat field being normalized from logs as indicated below:

  • If cef_device_vendor: Check Point, then the threat field is normalized from attack_information.

  • If cef_device_vendor: F5, then the threat field is normalized from attack_type

  • If cef_device_vendor: SentinelOne, then the threat field is normalized from classification

Stellar Cyber recommends you use CEF, if available.
CEF2 5175 cef_device_vendor Traffic (srcip), Syslog (otherwise) -
Generic capture 5201 generic_capture Syslog -
Generic syslog 514 - - Use only if you must use a log forwarder.
HTTP JSON 5200 (tcp) httpjson Syslog When you configure your log forwarding for the HTTP JSON parser on this port, you must append /httpjson at the end of the URL of the target sensor. Example: http://<sensor-ip>:5200/httpjson
JSON stream 5142 json Syslog
JSON beats 5044 beats Syslog -
LEEF 5522 vendor Traffic (srcip), Syslog (otherwise) Stellar Cyber recommends you use LEEF, if available. It's primarily useful for logs from IBM QRadar, for which LEEF was developed.

Linux Syslog

5555

linux_syslogs

Syslog

 

RFC 3164

5140 syslog Syslog -
RFC 5424

5141

syslog Syslog -
RFC 5424 Enhanced

5589

syslog_rfc5424 Syslog

 

Vendor-specific Log Parsers

This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.

The msg_origin.source column specifies the vendor's product. Use the field in the Interflow to find the logs when threat hunting in the specified index. The msg_origin.category column specifies the overall category.

In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser name.

The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index.

Device

Port

msg_origin.source

msg_origin.category

Index

(OpnSense) Zenarmor plugin logs

5604

sunny_valley_networks_zenarmor

firewall

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AAA - Core (CEF)

5143

netiq_advance_auth

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Accops 5526 accops

vpn

Traffic (srcip), Syslog (otherwise)
Ahnlab AIPS

5647

ahnlab_aips

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ahnlab EMS

5657

ahnlab_ems

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ahnlab EPP

5640

ahnlab_epp

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AhnLab Policy Center 5571 ahnlab_policy_center

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AhnLab TrusGuard 5558 ahnlab_trusguard

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AirGap Ransomware Kill Switch

5602

airgap_ransomware_kill_switch

saas

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AIX 5523 aix

unixlogs

Traffic (event_time: time format of hour:minute:second), Syslog (otherwise)

Alcatel Lucent Switch

5677

alcatel_lucent_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Aliyun / AliCloud 5545 aliyun

paas

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Android

5605

android

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Apache HTTP Server (httpd)

5663

apache_httpd

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AQTRONiX WebKnight

5658

aqtronix_webknight

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Aqua Cloud Native Application Protection Platform (CNAPP 2022.4)

5656

aquasecurity_cnapp

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Arbor Peakflow SP

5598

arbor_peakflow_sp

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks APV Series Load Balancing & App Delivery

5680

array_networks_apv

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks ASF 1800

5675

array_networks_asf_1800

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks Secure Access Gateway 5537 array_sag

vpn

Traffic (srcip), Syslog (otherwise)
Aruba ClearPass Policy Manager (CEF) 5143 aruba_clear_pass

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Aruba Switch 5577 aruba_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Automox 5183 automox

patch

Syslog

Avanan

5681

avanan

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Avanan (HTTP JSON)

5200 (tcp only)

avanan

email

Syslog

Avaya Switch

5607

avaya_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AWS WAF

(HTTP JSON)

5200 (tcp only)

aws_waf

waf

Syslog

Azure ATP (CEF) 5143 azure_atp

iam

Traffic (srcip, srcport, dstip, dstports, and proto), Syslog (otherwise)
Azure MFA 5528 azure_mfa

iam

Traffic (srcip), Syslog (otherwise)
Barracuda email 5559 barracuda_email

email

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Barracuda firewall 5524 barracuda_fw

firewall

ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
Barracuda WAF 5524 barracuda_waf

waf

ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)

BeyondTrust BeyondInsight

5621

beyondtrust_beyondinsight

iam

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

BeyondTrust PasswordSafe

5692

beyondtrust_passwordsafe

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Bitdefender (HTTP JSON)

(Syslog JSON)

Click here to configure log ingestion

5200 (tcp only)

5142

bitdefender

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

BlackBerry CylancePROTECT & CylanceOPTICS 5177

cylance
cylance_optics
cylance_protect

endpoint

Traffic (srcip), Syslog (otherwise)
BlueCoatProxySG 5576 bluecoat_proxysg

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Brocade switch (system & admin logs) 5548 brocade_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Calyptix UTM 5161 calyptix

firewall

ML IDS/Malware (ids.signature), Traffic (srcip), Syslog (otherwise)

Centos Audit

5673

centos_audit

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Centrify 5165 centrify

iam

Syslog
Cerberus FTP Logs

5635

cerverus_ftp

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Check Point - Application Control (CEF)

5143

fw_checkpoint

firewall

ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise)
Check Point - URL Filtering (CEF)

5143

fw_checkpoint

firewall

ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint appliance 5174 fw_checkpoint_appliance

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint firewall

5519 fw_checkpoint

firewall

Traffic (srcip), Syslog (otherwise)

CheckPoint Harmony EP

5618

checkpoint_harmony_ep

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CheckPoint VPN-1 & FireWall-1 (CEF)

5143

fw_checkpoint

firewall

ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ASA 5518 fw_cisco_asa

firewall

Traffic (srcip), Syslog (otherwise)
Cisco CUCM 5532 cisco_cucm

voip

Syslog
Cisco ESA 5562 cisco_esa

email

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ESA 5164 (deprecated) openldap_style

email

Syslog
Cisco Firepower

5168 ips_fire_power

firewall

Traffic (srcip), Syslog (otherwise)
Cisco IKE 5176 ciscovpn

vpn

Syslog
Cisco IronPort 5163 cisco_ironport

email

Syslog
Cisco ISE

5157 ciscoise

asset

Syslog
Cisco MDS 5563 cisco_mds

netlogs

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Meraki 5172 meraki

firewall

Traffic (srcip), Syslog (otherwise)

ML IDS/Malware (threat), (device_event_category,msg,signature,event_severity), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cisco Netflow 2055 (udp only) netflow

traffic

Traffic
Cisco routers and switches 5158 cisco_router_switch

netlogs

Syslog
Cisco UCS 5579 cisco_ucs

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Umbrella 5521 cisco_umbrella

dnssec

Syslog
Cisco VPN 5156 ciscovpn

vpn

Syslog
Cisco WLC 5531 cisco_wlc

wireless

Syslog

Citrix Access Gateway

5688

citrix_access_gateway

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Citrix NetScaler 5166 netscaler

netmgmt

Syslog

Citrix NetScaler (CEF)

5143

netscaler

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CoSoSys Endpoint Protection

5654

cososys

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Comodo- CIS CCS (CEF)

5143

comodo

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CoreLight Sensor

Click here to configure log ingestion

5575 corelight_sensor

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cribl default (Syslog JSON)

5142

json

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cribl / NXLog
(log -> NXLog ->Cribl)

(Syslog JSON)

5142

microsoft

endpoint

Windows Events

CrowdStrike (beats) 5044

crowdstrike

endpoint

Syslog
CrowdStrike (CEF) 5143

crowdstrike

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CyberArk PTA (CEF)

Click here to configure log ingestion

5143

cyberark

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cynet (CEF)

5143

cynet

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

D-Link 5189 dlink

wireless

Traffic (srcip), Syslog (otherwise)
DBSafer 5181 dbsafer

dlp

Syslog

Deep Instinct

5628

deep_instinct

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dell EMC Powerstore

5683

dell_powerstore

storage

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dell iDRAC 5566 dell_idrac

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell Switch 5578 dell_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

DHCP (beats)

5044

dhcp

netmgmt

Traffic (srcmac), Syslog (otherwise)

DHCPD (IS DHCP) 5554 dhcpd

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

DNSVault RPZdb

5639

dnsvault_rpzdb

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dragos (CEF) 5539 dragos

otsec

Traffic (srcip), Syslog (otherwise)

DrayTek Firewall

5593

draytek_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

eDictionary - eDictionary (CEF)

5143

edictionary

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Egnyte (Syslog JSON)

(HTTP JSON)

5142

5200 (tcp only)

egnyte

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ericom ZTEdge

5603

ericom_ztedge

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ESET PROTECT

5655

eset_protect

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ExtraHop (CEF) 5143

extrahop

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Extreme AirDefense

5612

extreme_airdefense

idps

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Extreme Controller

5666

extreme_controller

wireless

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ExtremeCloud IQ Site Engine

5614

extreme_site_engine

asset

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

F5 - ASM (CEF)

5143

f5

waf

ML IDS/Malware (threat, normalized from attack_type), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP 5162 f5_big_ip

firewall

ML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP Telemetry (HTTP JSON)

5200 (tcp only) f5_big_ip

firewall

Syslog
F5 IPI 5536 f5_threat_intelligence

firewall

ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 iRule 5536 f5_irule firewall ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 L7 DDOS 5536 f5_l7ddos firewall ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 Mitigation 5536 f5_ddos firewall ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 NGINX 5151 nginx

weblogs

Syslog
F5 Silverline 5536 f5_silverline

firewall

ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 VPN 5187 f5_vpn

vpn

Syslog
F5 WAF 5536 f5_waf

waf

ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)

FatPipe Networks SD-WAN

5583

fatpipe_sd_wan

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

FluentD (HTTP JSON) 5200 (tcp only)

kubernetes

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint

5143

forcepoint_dlp

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint - Firewall (CEF)

5143

forcepoint_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint -DLP (CEF)

5143

forcepoint

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint -Firewall (CEF)

5143

forcepoint

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint Web Security (CEF) 5143

forcepoint

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ForeScout 5154 forescout

asset

Syslog
Fortinet FortiAnalyzer 5542 forti_analyzer

ndr

ML IDS/Malware (vendor.attack_name), Traffic (dstip), Syslog (otherwise)

Fortinet FortiAuthenticator

5671

fortinet_fortiauthenticator

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiEDR

5661

fortinet_fortiedr

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet Forticloud FortiClient EMS Cloud Endpoint Management Services

5682

fortinet_forticlient_ems

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiGate 5517 fw_fortigate

firewall

Traffic (action), Syslog (otherwise)

Fortinet Fortigate (CEF)

5143

fw_fortigate

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiMail

5616

forti_mail

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiSandbox

5648

fortinet_fortisandbox

asset

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiWeb

5642

fortinet_fortiweb

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

FutureSystems WeGuardia SSL plus (SSL VPN)

5651

future_systems_weguardia_ssl_plus

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Graylog format

5569

graylog

endpoint

Windows Events (winlogevent), ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Guardicore (CEF)

5143

guardicore

cloudsec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

HanDreamnet VIPM

5676

handreamnet_vipm

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Hewlett Packard UNIX

5585

hp-ux

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Hillstone 5514 fw_hillstone

firewall

ML IDS/Malware log_type: threat), Traffic (log_type: traffic),

HPE Switch

5595

hpe_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

IBM AS400

5632

ibm_i

ibm_os_logs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Impero ContentKeeper

5670

impero_contentkeeper

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Incapsula SIEM Integration (CEF)

5143

incapsula

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Imperva - SecureSphere (CEF)

5143

imperva_secure_sphere

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Indusface Web Application Firewall

5582

indusface_waf

waf

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infoblox Data Connector (CEF)

5143

infoblox

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infoblox Network Identity OS (NIOS)

5587

infoblox_nios

dnssec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infocyte HUNT (CEF)

5143

infocyte

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

IronScales (CEF)

5143

ironscales_irontraps

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

IPFIX

4739 (udp only)

ipfix

traffic

Traffic (srcip, srcport, dstip, dstport, and proto)

Jsonar Database Security Tool

5586

jsonar_db_security_tool

dblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Juniper SRX 5173 fw_juniper_srx

firewall

Traffic (srcip), Syslog (otherwise)
Juniper SSG 5516 fw_juniper_ssg

firewall

Traffic (srcip), Syslog (otherwise)

Juniper Switch

5591

juniper_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

KasperskyLab (CEF)

5143

kasperskylab

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Kemp Technologies Load Master LB

5695

kemp_technologies_load_master_lb

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Keycloak

5653

keycloak

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Lancope - StealthWatch (LEEF)

5522

lancope_stealthwatch

firewall

Traffic (srcip), Syslog (otherwise)

LanScope Cat

5588

lanscope_cat

endpoint

Syslog

Lepide

5607

lepide

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Linux Syslog 5555 linux_syslog

unixlogs

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Logstash Suricata

5629

logstash_suricata

ndr

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Mailboarder Agent

5580

mailboarder_agent

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Mako Networks firewall 5547 mako_fw

firewall

Traffic (dstip), Syslog (otherwise)

ManageEngine ADAudit Plus

5679

manageengine_adaudit_plus

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ManageEngine ADAuditPlus (CEF) 5143 manageengine

iam

Windows Events

McAfee (CEF)

5143

If Web Gateway is in the product name, dev_type is set to: mcafee_web_gateway

Otherwise the value is determined from the CEF vendor field

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

McAfee Advanced Threat Defense

5584

mcafee_atd

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

McAfee ePolicy Orchestrator 5533 mcafee_epo

endpoint

Traffic (srcip), Syslog (otherwise)
McAfee Firewall 5169 mcafee_firewall

firewall

Traffic (srcip), Syslog (otherwise)
McAfee Network Security 5527 mcafee_ns

ipds

Traffic (srcip), Syslog (otherwise)

MCAS SIEM Agent (CEF)

5143

mcas

firewall

Windows Events

Medigate

5631

medigate

iotsec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Menlo Security MS-XL50M

5630

menlo

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Microsoft IIS

5636

microsoft_iis

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Microsoft IIS (Syslog JSON) 5142 json

weblogs

Syslog

Microsoft Office 365

5627

office365

office_suite

Windows Events

Microsoft Windows Event

5646

microsoft_windows_event

endpoint

Windows Events (winlogevent), Syslog (otherwise)

Microsoft Windows via Graylog

5569

microsoft_windows

endpoint

Windows Events (winlogevent)

MicroWorld eScan

5645

microworld_escan

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MikroTik firewall and router 5553 mikrotik

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MONITORAPP AI WAF 4.1

5613

monitorapp_ai_waf

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MONITORAPP WAF 1.0 5535 monitor_app

websec

Traffic (srcip), Syslog (otherwise)

Nasuni

5592

nasuni

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetApp

5608

netapp

dblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Netfilter 5544 netfilter

netlogs

Traffic (dstip), Syslog (otherwise)
NetIQ - Identity Manager (CEF)

5143

netiq_identity_manager

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetIQ Access Manager 5167 access_manager

iam

Syslog
NetIQ SSO 5171 netiqsso

iam

Syslog
Netman Smart NAC

5650

netman_smart_nac

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetMotion

5641

absolute_netmotion

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NXLog

(Also see Crib, above)

5601

nxlog

paas

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OneLogin

5581

one_login

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Open LDAP

(for Cisco ESA, use 5562)

5164 openldap_style

email

Syslog
OpenCanary

5638

opencanary

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OpenShift 5573 redhat_openshift

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OpenVPN

5643

openvpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OPNsense

5660

opnsense

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Oracle DB 5170 oracle

dblogs

Traffic (srcip), Syslog (otherwise)

Oracle Solaris

5664

oracle_solaris

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ordr Connected Device Security

5622

ordr_cds

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

PacketFence

5686

packetfence

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Palo Alto Networks - Next Generation Firewall (LEEF) 5522

fw_palo_alto

firewall

Traffic (srcip), Syslog (otherwise)

Palo Alto Networks - Traps Agent (CEF)

5143

palo_alto_networks_traps_agent

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Palo Alto Networks Next-Generation Firewall and Panorama (BSD syslog and CSV)

5515 fw_palo_alto

firewall

Traffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise)

Palo Alto Networks Firewall via Graylog

5569

fw_palo_alto

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Penta Security WAPPLES WAF 5560 penta_security_wapples

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Peplink XDR

5665

peplink_xdr

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Perception Point X-Ray

5667

perceptionpoint_xray

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

pfSense Firewall 5543 pfsense_fw

firewall

Syslog

PIOLINK WEBFRONT-K

5617

piolink_webfront_k

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

PrintChaser 5179 printchaser

dlp

Syslog
Privacy-i 5178 privacy

dlp

Syslog
Proofpoint

5596
(5160 is deprecated)

proofpoint

email

Syslog
Pulse Secure 5534 pulse_secure

vpn

Syslog

Radware DefensePro

5619

radware_defense_pro

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Rapid7 5153 rapid7

security_scan

Syslog
RazLeeSecurity - Audit (CEF)

5143

ibm_raz_lee_security

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

RSA Authentication Manager 5184 rsa_auth

nsa

Syslog

Ruckus ZoneDirector

5662

ruckus_zone_director

wireless

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

RuiJie Switch

5689

ruijie_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SafePC 5180 safepc

cloudsec

Syslog
Sangfor NGAF

5637

sangfor_ngaf

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SECUI Firewall 5561 secui_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MF2 Firewall 5570 secui_mf2

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MFD 5611 secui_mfd

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Secureki APPM 6

5693

secureki_appm

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Security Strategy Research (SSR) Metieye

5572 ssr_metieye

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Secuway SSLVPN 
(U v1.0 / M v3.0, v3.1

5652

secuwiz_secuway_sslvpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne (CEF2)

Click here to configure log ingestion

5175 cef_device_vendor

endpoint

Traffic (srcip), Syslog (otherwise)

SentinelOne Mgmt (CEF)

5143

sentinelone_endpoint

endpoint

ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne Security Center (CEF)

5143

sentinelone_endpoint

endpoint

ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne Singularity Mobile

5623

sentineone_sm

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ServiceNow Now Platform

5668

servicenow_nowplatform

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ShareTech Firewall

5609

sharetech_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Snare Agent

5590

snare_agent

paas

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sniper IPS 5182 sniperips

idps

Traffic (srcip), Syslog (otherwise)
SonicWall (CEF) 5143

sonicwall

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SonicWall - NSA 2400 (CEF)

5143

sonicwall_nsa

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SonicWall Firewall 5152 sonicfw

firewall

ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise)
SonicWall VPN 5556 sonicwall_vpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sophos (CEF)

5143

sophos

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sophos (JSON) 5530 sophos

endpoint

Traffic (endpoint_type: traffic), ML IDS/Malware (endpoint_type: threat), Syslog (endpoint_type: computer)
Sophos endpoint 5565

endpoint_sophos

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos endpoint (beats) 5044 endpoint_sophos

endpoint

Traffic (srcip), Syslog (otherwise)
Sophos firewall 5520 fw_sophos

firewall

Data goes to the indicated index based on the log_type:

  • If Firewall, then Traffic index

  • If any one of IDP, Anti-Virus, Anti-Spam, or Content Filter it goes to ML-IDS/Malware Index

  • For any other log_type, if srcip exists then it goes to the Traffic Index

  • All other data goes to the Syslog index

Sophos Web Appliance

5626

sophos_web_app

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Splunk Heavy Forwarder 5188 splunk_forwarder

netmgmt

Syslog

Stormshield Net Security Firewall

5625

stormshield_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec Endpoint Protection 5525 symantec_ep

endpoint

Traffic (dstip), Syslog (otherwise)
Symantec Firewall 5155 symantec

firewall

Syslog
Symantec Messaging Gateway 5567 symantec_messaging_gateway

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec (CEF) 5143 symantec_dlp

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Synology Directory Server

5597

synology_directory_server

asset

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Thales Group CipherTrust Manager

5674

thales_cipher_trust_manager

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trellix FireEye HX

5644

fireeye_hx

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro - Deep Security Agent (LEEF) 5522

trendmicro_dsa

endpoint

Traffic (srcip), Syslog (otherwise)

Trend Micro Apex Central (CEF)

5143

trendmicro_apex_central

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro (CEF) 5143

trendmicro

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro Interscan Messaging

5678

trend_micro_interscan_messaging

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro Proxy 5540 trendmicro_proxy

websec

Traffic (dstip), Syslog (otherwise)

Trend Micro TippingPoint

5672

trend_micro_tippingpoint

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Tripwire Enterprise 5186 tripwire

endpoint

Syslog
Ubiquiti 5552 ubiquiti

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Unix

5633

unix

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Untangle Firewall (Syslog JSON)

5142

json

firewall

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Varonis DatAdvantage (CEF) 5143 varonis_datadvantage

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Versa Networks Firewall 5568 versa_networks_fw

firewall

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware - Carbon Black (LEEF) 5522

vmware_cb

endpoint

Traffic (srcip), Syslog (otherwise)

VMware ESXi

5600 vmware

unixlogs

Syslog

VMWare Horizon

5687

vmware_horizon

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware NSX-T Data Center 5574 vmware_nsx_t

endpoint (unless log type is dfwpktlogs, then category is firewall)

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware UAG

5620

vmware_uag

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware Vcenter

5615

vmware_vcenter

itsm

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMWare VeloCloud SD-WAN

5685

vmware_velocloud_sdwan

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

WatchGuard - XTM (LEEF) 5522

watchguard_fw

firewall

Traffic (srcip), Syslog (otherwise)

WatchGuard firewall security appliance 5557 watchguard_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Wazuh

5634

wazuh_siem

endpoint

Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows DNS Server

5599

windows_dns_server

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows Event NXLog

Click here to configure HostIP

5601

microsoft_windows

endpoint

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows System Security

5610

windows_system_security

endpoint

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Wins IPS ONE-1 / Wins DDX 5538 winsips

idps

ML IDS/Malware (vendor.attack_name), Syslog (otherwise)
WINS Sniper NGFW

5649

wins_sniper_ngfw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Zix Mail 5185 zix_mail

email

Traffic (srcip), Syslog (otherwise)

Zscaler NSS Web log (CEF)

5143

zscaler

websec

Syslog

Zscaler ZIA Firewall 5549 zscaler_zia_fw

firewall

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZIA Web 5550 zscaler_zia_web

weblogs

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZPA 5551 zscaler_zpa

vpn

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Zyxel Firewall

5594

zyxel_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)