Log Parser Ports

Stellar Cyber sensors require open inbound ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor but you must open the appropriate ports on your firewall. This topic lists the supported log parsers and related details. Log parsers are organized in the following categories:

Generic
Vendor-specific

Also see: Firewall Requirements

Unless otherwise noted, the ports listed are applicable for both UDP and TCP.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

Choosing an Ingestion Port

Sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases, Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process vendor-specific logs in a more detailed manner. If you can identify a more specific port for your log type than port 514, you:

Speed up your data ingestion and log parsing, and increase sensor performance, because the sensor already knows the source device
Retain the correct log source, because logs received on port 514 have the source set to local when forwarded to the data processor

Use the following as a guide:

If the logs are in standard Common Event Format (CEF), Log Event Extended Format (LEEF), or JavaScript Object Notation (JSON) format, forward to the data to the port specific to that standard as listed in Generic Log Parsers.
If the logs are in standard Syslog format use the port applicable for that vendor.
If the logs are in a specialized format such as a Syslog and regular expression or key: value pairs or csv, use the Vendor-specific ports.

Using the Port Relay Feature to Minimize Open Ports

It's a best practice in Stellar Cyber to send logs to their vendor-specific parsers, when available. In releases previous to 4.3.5, this was accomplished by referring to the list of supported vendor-specific ports, pointing your log sources to that port on the sensor IP address, and opening the port in your firewall.

This approach is still available and can be used. As an alternative, however, you can configure your sensors to accept log traffic on the generic syslog ports of 514 (non-TLS) or 6514 (TLS) and relay that traffic to vendor-specific ports internally based on the source traffic's IP address.

You do this differently depending on the release your sensors are running:

For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.
For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.

Configuring Port Relay in the CLI ()

You configure the port relay feature for sensors running 4.3.5 using the set logforwarder device-ip command in the sensor CLI. The procedure is as follows:

Find the IP address of your log source.
Use the Log Parser Ports topic to find the parser port for your log source.
Connect to the sensor CLI.
Use the set logforwarder device-ip command to make an entry on the sensor for your log source and the corresponding destination port. The syntax is as follows:

set logforwarder device-ip <IP Address> parser-port <Integer> ingestion-port <514|6514 default=514>

So, for example, if you are sending Azure MFA logs from 10.33.5.5 to the sensor, you could either send them directly to port 5528 as you did in previous releases, or you could send them to the standard syslog port of 514 and use the following command on the sensor to relay them internally to 5528:

set logforwarder device-ip 10.33.5.5 parser-port 5528

This command tells the sensor to relay logs received on port 514 (the default, which is why it is not explicitly specified in the command above) from 10.33.5.5 to the vendor-specific parser port of 5528 for Azure MFA.

You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the following command to relay them from 6514 to their vendor-specific parser port of 5544:

set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514

Notes on Using the Port Relay Feature

Keep in mind the following tips when using the port relay feature:

Keep in mind that the sending log source must be on the same subnet as the receiving sensor. There must be no proxy capable of changing the log source IP between the sending log source and the receiving sensor.
When you create a port relay entry, the sensor listens for both UDP and TCP traffic from the specified source. You can see this with the show logforwarder port-ingestion command. For example:
The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries. You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.
You can remove port relay entries using unset logforwarder device-ip <IP Address>.
The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it in the show logforwarder port-ingestion output as inactive.

Generic Log Parsers

This table includes all supported generic log parser formats, the required firewall port, device type, and the associated Stellar Cyber index.

Use the msg_origin.source field in the Interflow to find the logs when threat hunting in the specified index.

In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser type (cef, leef).

When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.

Following are the firewall ports to open for generic log formats, along with other useful details.

Standard	Port	msg_origin.source	Index	Comments
CEF	5143	cef_device_vendor	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) The following vendor records are also indexed in ML IDS / Malware, with the threat field being normalized from logs as indicated below: If cef_device_vendor: Check Point, then the threat field is normalized from attack_information. If cef_device_vendor: F5, then the threat field is normalized from attack_type If cef_device_vendor: SentinelOne, then the threat field is normalized from classification	Stellar Cyber recommends you use CEF, if available.
CEF2	5175	cef_device_vendor	Traffic (srcip), Syslog (otherwise)	-
Generic capture	5201	generic_capture	Syslog	-
Generic syslog	514	-	-	Use only if you must use a log forwarder.
HTTP JSON	5200 (tcp)	httpjson	Syslog	When you configure your log forwarding for the HTTP JSON parser on this port, you must append /httpjson at the end of the URL of the target sensor. Example: http://<sensor-ip>:5200/httpjson
JSON stream	5142	json	Syslog
JSON beats	5044	beats	Syslog	-
LEEF	5522	vendor	Traffic (srcip), Syslog (otherwise)	Stellar Cyber recommends you use LEEF, if available. It's primarily useful for logs from IBM QRadar, for which LEEF was developed.
Linux Syslog	5555	linux_syslogs	Syslog
RFC 3164	5140	syslog	Syslog	-
RFC 5424	5141	syslog	Syslog	-
RFC 5424 Enhanced	5589	syslog_rfc5424	Syslog

Vendor-specific Log Parsers

This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.

The msg_origin.source column specifies the vendor's product. Use the field in the Interflow to find the logs when threat hunting in the specified index. The msg_origin.category column specifies the overall category.

The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index.

Device	Port	msg_origin.source	msg_origin.category	Index
(OpnSense) Zenarmor plugin logs	5604	sunny_valley_networks_zenarmor	firewall	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
AAA - Core (CEF)	5143	netiq_advance_auth	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Accops	5526	accops	vpn	Traffic (srcip), Syslog (otherwise)
Ahnlab AIPS	5647	ahnlab_aips	idps	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Ahnlab EMS	5657	ahnlab_ems	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Ahnlab EPP	5640	ahnlab_epp	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AhnLab Policy Center	5571	ahnlab_policy_center	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AhnLab TrusGuard	5558	ahnlab_trusguard	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AirGap Ransomware Kill Switch	5602	airgap_ransomware_kill_switch	saas	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
AIX	5523	aix	unixlogs	Traffic (event_time: time format of hour:minute:second), Syslog (otherwise)
Alcatel Lucent Switch	5677	alcatel_lucent_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Aliyun / AliCloud	5545	aliyun	paas	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Android	5605	android	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Apache HTTP Server (httpd)	5663	apache_httpd	weblogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AQTRONiX WebKnight	5658	aqtronix_webknight	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Aqua Cloud Native Application Protection Platform (CNAPP 2022.4)	5656	aquasecurity_cnapp	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Arbor Peakflow SP	5598	arbor_peakflow_sp	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Array Networks APV Series Load Balancing & App Delivery	5680	array_networks_apv	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Array Networks ASF 1800	5675	array_networks_asf_1800	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Array Networks Secure Access Gateway	5537	array_sag	vpn	Traffic (srcip), Syslog (otherwise)
Aruba ClearPass Policy Manager (CEF)	5143	aruba_clear_pass	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Aruba Switch	5577	aruba_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Automox	5183	automox	patch	Syslog
Avanan	5681	avanan	email	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Avanan (HTTP JSON)	5200 (tcp only)	avanan	email	Syslog
Avaya Switch	5607	avaya_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
AWS WAF (HTTP JSON)	5200 (tcp only)	aws_waf	waf	Syslog
Azure ATP (CEF)	5143	azure_atp	iam	Traffic (srcip, srcport, dstip, dstports, and proto), Syslog (otherwise)
Azure MFA	5528	azure_mfa	iam	Traffic (srcip), Syslog (otherwise)
Barracuda email	5559	barracuda_email	email	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Barracuda firewall	5524	barracuda_fw	firewall	ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
Barracuda WAF	5524	barracuda_waf	waf	ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
BeyondTrust BeyondInsight	5621	beyondtrust_beyondinsight	iam	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
BeyondTrust PasswordSafe	5692	beyondtrust_passwordsafe	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Bitdefender (HTTP JSON) (Syslog JSON) Click here to configure log ingestion	5200 (tcp only) 5142	bitdefender	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
BlackBerry CylancePROTECT & CylanceOPTICS	5177	cylance cylance_optics cylance_protect	endpoint	Traffic (srcip), Syslog (otherwise)
BlueCoatProxySG	5576	bluecoat_proxysg	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Brocade switch (system & admin logs)	5548	brocade_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Calyptix UTM	5161	calyptix	firewall	ML IDS/Malware (ids.signature), Traffic (srcip), Syslog (otherwise)
Centos Audit	5673	centos_audit	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Centrify	5165	centrify	iam	Syslog
Cerberus FTP Logs	5635	cerverus_ftp	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Check Point - Application Control (CEF)	5143	fw_checkpoint	firewall	ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise)
Check Point - URL Filtering (CEF)	5143	fw_checkpoint	firewall	ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint appliance	5174	fw_checkpoint_appliance	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint firewall	5519	fw_checkpoint	firewall	Traffic (srcip), Syslog (otherwise)
CheckPoint Harmony EP	5618	checkpoint_harmony_ep	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint VPN-1 & FireWall-1 (CEF)	5143	fw_checkpoint	firewall	ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ASA	5518	fw_cisco_asa	firewall	Traffic (srcip), Syslog (otherwise)
Cisco CUCM	5532	cisco_cucm	voip	Syslog
Cisco ESA	5562	cisco_esa	email	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ESA	5164 (deprecated)	openldap_style	email	Syslog
Cisco Firepower	5168	ips_fire_power	firewall	Traffic (srcip), Syslog (otherwise)
Cisco IKE	5176	ciscovpn	vpn	Syslog
Cisco IronPort	5163	cisco_ironport	email	Syslog
Cisco ISE	5157	ciscoise	asset	Syslog
Cisco MDS	5563	cisco_mds	netlogs	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Meraki	5172	meraki	firewall	Traffic (srcip), Syslog (otherwise) ML IDS/Malware (threat), (device_event_category,msg,signature,event_severity), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Netflow	2055 (udp only)	netflow	traffic	Traffic
Cisco routers and switches	5158	cisco_router_switch	netlogs	Syslog
Cisco UCS	5579	cisco_ucs	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Umbrella	5521	cisco_umbrella	dnssec	Syslog
Cisco VPN	5156	ciscovpn	vpn	Syslog
Cisco WLC	5531	cisco_wlc	wireless	Syslog
Citrix Access Gateway	5688	citrix_access_gateway	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Citrix NetScaler	5166	netscaler	netmgmt	Syslog
Citrix NetScaler (CEF)	5143	netscaler	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CoSoSys Endpoint Protection	5654	cososys	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Comodo- CIS CCS (CEF)	5143	comodo	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CoreLight Sensor Click here to configure log ingestion	5575	corelight_sensor	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cribl default (Syslog JSON)	5142	json	xdr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cribl / NXLog (log -> NXLog ->Cribl) (Syslog JSON)	5142	microsoft	endpoint	Windows Events
CrowdStrike (beats)	5044	crowdstrike	endpoint	Syslog
CrowdStrike (CEF)	5143	crowdstrike	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CyberArk PTA (CEF) Click here to configure log ingestion	5143	cyberark	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cynet (CEF)	5143	cynet	xdr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
D-Link	5189	dlink	wireless	Traffic (srcip), Syslog (otherwise)
DBSafer	5181	dbsafer	dlp	Syslog
Deep Instinct	5628	deep_instinct	saas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell EMC Powerstore	5683	dell_powerstore	storage	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell iDRAC	5566	dell_idrac	saas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell Switch	5578	dell_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
DHCP (beats)	5044	dhcp	netmgmt	Traffic (srcmac), Syslog (otherwise)
DHCPD (IS DHCP)	5554	dhcpd	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
DNSVault RPZdb	5639	dnsvault_rpzdb	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dragos (CEF)	5539	dragos	otsec	Traffic (srcip), Syslog (otherwise)
DrayTek Firewall	5593	draytek_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
eDictionary - eDictionary (CEF)	5143	edictionary	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Egnyte (Syslog JSON) (HTTP JSON)	5142 5200 (tcp only)	egnyte	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Ericom ZTEdge	5603	ericom_ztedge	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ESET PROTECT	5655	eset_protect	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ExtraHop (CEF)	5143	extrahop	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Extreme AirDefense	5612	extreme_airdefense	idps	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
Extreme Controller	5666	extreme_controller	wireless	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ExtremeCloud IQ Site Engine	5614	extreme_site_engine	asset	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
F5 - ASM (CEF)	5143	f5	waf	ML IDS/Malware (threat, normalized from attack_type), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP	5162	f5_big_ip	firewall	ML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP Telemetry (HTTP JSON)	5200 (tcp only)	f5_big_ip	firewall	Syslog
F5 IPI	5536	f5_threat_intelligence	firewall	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 iRule	5536	f5_irule	firewall	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 L7 DDOS	5536	f5_l7ddos	firewall	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 Mitigation	5536	f5_ddos	firewall	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 NGINX	5151	nginx	weblogs	Syslog
F5 Silverline	5536	f5_silverline	firewall	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 VPN	5187	f5_vpn	vpn	Syslog
F5 WAF	5536	f5_waf	waf	ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
FatPipe Networks SD-WAN	5583	fatpipe_sd_wan	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
FluentD (HTTP JSON)	5200 (tcp only)	kubernetes	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Forcepoint	5143	forcepoint_dlp	dlp	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Forcepoint - Firewall (CEF)	5143	forcepoint_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Forcepoint -DLP (CEF)	5143	forcepoint	dlp	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Forcepoint -Firewall (CEF)	5143	forcepoint	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Forcepoint Web Security (CEF)	5143	forcepoint	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ForeScout	5154	forescout	asset	Syslog
Fortinet FortiAnalyzer	5542	forti_analyzer	ndr	ML IDS/Malware (vendor.attack_name), Traffic (dstip), Syslog (otherwise)
Fortinet FortiAuthenticator	5671	fortinet_fortiauthenticator	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet FortiEDR	5661	fortinet_fortiedr	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet Forticloud FortiClient EMS Cloud Endpoint Management Services	5682	fortinet_forticlient_ems	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet FortiGate	5517	fw_fortigate	firewall	Traffic (action), Syslog (otherwise)
Fortinet Fortigate (CEF)	5143	fw_fortigate	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet FortiMail	5616	forti_mail	email	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet FortiSandbox	5648	fortinet_fortisandbox	asset	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Fortinet FortiWeb	5642	fortinet_fortiweb	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
FutureSystems WeGuardia SSL plus (SSL VPN)	5651	future_systems_weguardia_ssl_plus	vpn	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Graylog format	5569	graylog	endpoint	Windows Events (winlogevent), ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Guardicore (CEF)	5143	guardicore	cloudsec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
HanDreamnet VIPM	5676	handreamnet_vipm	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Hewlett Packard UNIX	5585	hp-ux	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Hillstone	5514	fw_hillstone	firewall	ML IDS/Malware log_type: threat), Traffic (log_type: traffic),
HPE Switch	5595	hpe_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
IBM AS400	5632	ibm_i	ibm_os_logs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Impero ContentKeeper	5670	impero_contentkeeper	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Incapsula SIEM Integration (CEF)	5143	incapsula	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Imperva - SecureSphere (CEF)	5143	imperva_secure_sphere	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Indusface Web Application Firewall	5582	indusface_waf	waf	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Infoblox Data Connector (CEF)	5143	infoblox	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Infoblox Network Identity OS (NIOS)	5587	infoblox_nios	dnssec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Infocyte HUNT (CEF)	5143	infocyte	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
IronScales (CEF)	5143	ironscales_irontraps	email	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
IPFIX	4739 (udp only)	ipfix	traffic	Traffic (srcip, srcport, dstip, dstport, and proto)
Jsonar Database Security Tool	5586	jsonar_db_security_tool	dblogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Juniper SRX	5173	fw_juniper_srx	firewall	Traffic (srcip), Syslog (otherwise)
Juniper SSG	5516	fw_juniper_ssg	firewall	Traffic (srcip), Syslog (otherwise)
Juniper Switch	5591	juniper_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
KasperskyLab (CEF)	5143	kasperskylab	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Kemp Technologies Load Master LB	5695	kemp_technologies_load_master_lb	weblogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Keycloak	5653	keycloak	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Lancope - StealthWatch (LEEF)	5522	lancope_stealthwatch	firewall	Traffic (srcip), Syslog (otherwise)
LanScope Cat	5588	lanscope_cat	endpoint	Syslog
Lepide	5607	lepide	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)
Linux Syslog	5555	linux_syslog	unixlogs	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Logstash Suricata	5629	logstash_suricata	ndr	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Mailboarder Agent	5580	mailboarder_agent	email	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Mako Networks firewall	5547	mako_fw	firewall	Traffic (dstip), Syslog (otherwise)
ManageEngine ADAudit Plus	5679	manageengine_adaudit_plus	iam	Windows Events
ManageEngine ADAuditPlus (CEF)	5143	manageengine	iam	Windows Events
McAfee (CEF)	5143	If Web Gateway is in the product name, dev_type is set to: mcafee_web_gateway Otherwise the value is determined from the CEF vendor field	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
McAfee Advanced Threat Defense	5584	mcafee_atd	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
McAfee ePolicy Orchestrator	5533	mcafee_epo	endpoint	Traffic (srcip), Syslog (otherwise)
McAfee Firewall	5169	mcafee_firewall	firewall	Traffic (srcip), Syslog (otherwise)
McAfee Network Security	5527	mcafee_ns	ipds	Traffic (srcip), Syslog (otherwise)
MCAS SIEM Agent (CEF)	5143	mcas	firewall	Windows Events
Medigate	5631	medigate	iotsec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Menlo Security MS-XL50M	5630	menlo	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Microsoft IIS	5636	microsoft_iis	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Microsoft IIS (Syslog JSON)	5142	json	weblogs	Syslog
Microsoft Office 365	5627	office365	office_suite	Windows Events
Microsoft Windows Event	5646	microsoft_windows_event	endpoint	Windows Events (winlogevent), Syslog (otherwise)
Microsoft Windows via Graylog	5569	microsoft_windows	endpoint	Windows Events (winlogevent)
MicroWorld eScan	5645	microworld_escan	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
MikroTik firewall and router	5553	mikrotik	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
MONITORAPP AI WAF 4.1	5613	monitorapp_ai_waf	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
MONITORAPP WAF 1.0	5535	monitor_app	websec	Traffic (srcip), Syslog (otherwise)
Nasuni	5592	nasuni	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
NetApp	5608	netapp	dblogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Netfilter	5544	netfilter	netlogs	Traffic (dstip), Syslog (otherwise)
NetIQ - Identity Manager (CEF)	5143	netiq_identity_manager	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
NetIQ Access Manager	5167	access_manager	iam	Syslog
NetIQ SSO	5171	netiqsso	iam	Syslog
Netman Smart NAC	5650	netman_smart_nac	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
NetMotion	5641	absolute_netmotion	vpn	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
NXLog (Also see Crib, above)	5601	nxlog	paas	Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OneLogin	5581	one_login	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Open LDAP (for Cisco ESA, use 5562)	5164	openldap_style	email	Syslog
OpenCanary	5638	opencanary	ndr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OpenShift	5573	redhat_openshift	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OpenVPN	5643	openvpn	vpn	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OPNsense	5660	opnsense	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Oracle DB	5170	oracle	dblogs	Traffic (srcip), Syslog (otherwise)
Oracle Solaris	5664	oracle_solaris	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Ordr Connected Device Security	5622	ordr_cds	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
PacketFence	5686	packetfence	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Palo Alto Networks - Next Generation Firewall (LEEF)	5522	fw_palo_alto	firewall	Traffic (srcip), Syslog (otherwise)
Palo Alto Networks - Traps Agent (CEF)	5143	palo_alto_networks_traps_agent	xdr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Palo Alto Networks Next-Generation Firewall and Panorama (BSD syslog and CSV)	5515	fw_palo_alto	firewall	Traffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise)
Palo Alto Networks Firewall via Graylog	5569	fw_palo_alto	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Penta Security WAPPLES WAF	5560	penta_security_wapples	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Peplink XDR	5665	peplink_xdr	xdr	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Perception Point X-Ray	5667	perceptionpoint_xray	saas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
pfSense Firewall	5543	pfsense_fw	firewall	Syslog
PIOLINK WEBFRONT-K	5617	piolink_webfront_k	waf	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
PrintChaser	5179	printchaser	dlp	Syslog
Privacy-i	5178	privacy	dlp	Syslog
Proofpoint	5596 (5160 is deprecated)	proofpoint	email	Syslog
Pulse Secure	5534	pulse_secure	vpn	Syslog
Radware DefensePro	5619	radware_defense_pro	idps	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Rapid7	5153	rapid7	security_scan	Syslog
RazLeeSecurity - Audit (CEF)	5143	ibm_raz_lee_security	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
RSA Authentication Manager	5184	rsa_auth	nsa	Syslog
Ruckus ZoneDirector	5662	ruckus_zone_director	wireless	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
RuiJie Switch	5689	ruijie_switch	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SafePC	5180	safepc	cloudsec	Syslog
Sangfor NGAF	5637	sangfor_ngaf	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI Firewall	5561	secui_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MF2 Firewall	5570	secui_mf2	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MFD	5611	secui_mfd	idps	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Secureki APPM 6	5693	secureki_appm	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Security Strategy Research (SSR) Metieye	5572	ssr_metieye	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Secuway SSLVPN (U v1.0 / M v3.0, v3.1	5652	secuwiz_secuway_sslvpn	vpn	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SentinelOne (CEF2) Click here to configure log ingestion	5175	cef_device_vendor	endpoint	Traffic (srcip), Syslog (otherwise)
SentinelOne Mgmt (CEF)	5143	sentinelone_endpoint	endpoint	ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SentinelOne Security Center (CEF)	5143	sentinelone_endpoint	endpoint	ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SentinelOne Singularity Mobile	5623	sentineone_sm	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ServiceNow Now Platform	5668	servicenow_nowplatform	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
ShareTech Firewall	5609	sharetech_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Snare Agent	5590	snare_agent	paas	Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sniper IPS	5182	sniperips	idps	Traffic (srcip), Syslog (otherwise)
SonicWall (CEF)	5143	sonicwall	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SonicWall - NSA 2400 (CEF)	5143	sonicwall_nsa	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SonicWall Firewall	5152	sonicfw	firewall	ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise)
SonicWall VPN	5556	sonicwall_vpn	vpn	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos (CEF)	5143	sophos	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos (JSON)	5530	sophos	endpoint	Traffic (endpoint_type: traffic), ML IDS/Malware (endpoint_type: threat), Syslog (endpoint_type: computer)
Sophos endpoint	5565	endpoint_sophos	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos endpoint (beats)	5044	endpoint_sophos	endpoint	Traffic (srcip), Syslog (otherwise)
Sophos firewall	5520	fw_sophos	firewall	Data goes to the indicated index based on the log_type: If Firewall, then Traffic index If any one of IDP, Anti-Virus, Anti-Spam, or Content Filter it goes to ML-IDS/Malware Index For any other log_type, if srcip exists then it goes to the Traffic Index All other data goes to the Syslog index
Sophos Web Appliance	5626	sophos_web_app	websec	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Splunk Heavy Forwarder	5188	splunk_forwarder	netmgmt	Syslog
Stormshield Net Security Firewall	5625	stormshield_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec Endpoint Protection	5525	symantec_ep	endpoint	Traffic (dstip), Syslog (otherwise)
Symantec Firewall	5155	symantec	firewall	Syslog
Symantec Messaging Gateway	5567	symantec_messaging_gateway	email	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec (CEF)	5143	symantec_dlp	dlp	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Synology Directory Server	5597	synology_directory_server	asset	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Thales Group CipherTrust Manager	5674	thales_cipher_trust_manager	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Trellix FireEye HX	5644	fireeye_hx	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Trend Micro - Deep Security Agent (LEEF)	5522	trendmicro_dsa	endpoint	Traffic (srcip), Syslog (otherwise)
Trend Micro Apex Central (CEF)	5143	trendmicro_apex_central	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Trend Micro (CEF)	5143	trendmicro	endpoint	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Trend Micro Interscan Messaging	5678	trend_micro_interscan_messaging	saas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Trend Micro Proxy	5540	trendmicro_proxy	websec	Traffic (dstip), Syslog (otherwise)
Trend Micro TippingPoint	5672	trend_micro_tippingpoint	idps	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Tripwire Enterprise	5186	tripwire	endpoint	Syslog
Ubiquiti	5552	ubiquiti	netlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Unix	5633	unix	unixlogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Untangle Firewall (Syslog JSON)	5142	json	firewall	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Varonis DatAdvantage (CEF)	5143	varonis_datadvantage	dlp	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Versa Networks Firewall	5568	versa_networks_fw	firewall	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware - Carbon Black (LEEF)	5522	vmware_cb	endpoint	Traffic (srcip), Syslog (otherwise)
VMware ESXi	5600	vmware	unixlogs	Syslog
VMWare Horizon	5687	vmware_horizon	paas	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware NSX-T Data Center	5574	vmware_nsx_t	endpoint (unless log type is dfwpktlogs, then category is firewall)	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware UAG	5620	vmware_uag	iam	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware Vcenter	5615	vmware_vcenter	itsm	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMWare VeloCloud SD-WAN	5685	vmware_velocloud_sdwan	netmgmt	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
WatchGuard - XTM (LEEF)	5522	watchguard_fw	firewall	Traffic (srcip), Syslog (otherwise)
WatchGuard firewall security appliance	5557	watchguard_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Wazuh	5634	wazuh_siem	endpoint	Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Windows DNS Server	5599	windows_dns_server	weblogs	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Windows Event NXLog Click here to configure HostIP	5601	microsoft_windows	endpoint	Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Windows System Security	5610	windows_system_security	endpoint	Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Wins IPS ONE-1 / Wins DDX	5538	winsips	idps	ML IDS/Malware (vendor.attack_name), Syslog (otherwise)
WINS Sniper NGFW	5649	wins_sniper_ngfw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zix Mail	5185	zix_mail	email	Traffic (srcip), Syslog (otherwise)
Zscaler NSS Web log (CEF)	5143	zscaler	websec	Syslog
Zscaler ZIA Firewall	5549	zscaler_zia_fw	firewall	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZIA Web	5550	zscaler_zia_web	weblogs	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZPA	5551	zscaler_zpa	vpn	ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zyxel Firewall	5594	zyxel_fw	firewall	Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)