Log Parser Ports

To receive and parse logs from devices on your network, Stellar Cyber modular sensors require open inbound ports. These ports are already open on modular sensors by default. If there are any firewalls in the data path between the log sources and a modular sensor, you must also open the appropriate ports on the firewalls. This topic lists the supported log parsers and related details, including the port each parser uses. Log parsers are organized in the following categories:

Also see: Firewall Requirements

Unless otherwise noted, the ports listed are applicable for both UDP and TCP.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

Choosing an Ingestion Port

Modular sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases, Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process vendor-specific logs in a more detailed manner. Identifying a more specific port for a log type than port 514 provides the following benefits:

  • It speeds up data ingestion and log parsing and increases sensor performance because the sensor already knows the source device.

  • It retains the correct log source when the sensor forwards normalized logs as Interflow records to the Stellar Cyber Open XDR platform.

Use the following as a guide:

  • If the logs are in standard Common Event Format (CEF), Log Event Extended Format (LEEF), or JavaScript Object Notation (JSON) format, forward to the data to the port specific to that standard as listed in Generic Log Parsers.

  • If the logs are in standard Syslog format use the port applicable for that vendor.

  • If the logs are in a specialized format such as a Syslog and use regular expressions, key-value pairs, or comma-separated values (csv), use the Vendor-specific ports.

Using the Port Relay Feature to Minimize Open Ports

It's a best practice in Stellar Cyber to send logs to their vendor-specific parsers, when available. In releases previous to 4.3.5, this was accomplished by referring to the list of supported vendor-specific ports, pointing your log sources to that port on the sensor IP address, and opening the port in your firewall.

This approach is still available and can be used. As an alternative, however, you can configure your sensors to accept log traffic on the generic syslog ports of 514 (non-TLS) or 6514 (TLS) and relay that traffic to vendor-specific ports internally based on the source traffic's IP address.

You do this differently depending on the release your sensors are running:

  • For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.

  • For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.

Configuring Port Relay in the CLI ()

You configure the port relay feature for sensors running 4.3.5 using the set logforwarder device-ip command in the sensor CLI. The procedure is as follows:

  1. Find the IP address of your log source.

  2. Use the Log Parser Portstopic to find the parser port for your log source.

  3. Connect to the sensor CLI.

  4. Use the set logforwarder device-ip command to make an entry on the sensor for your log source and the corresponding destination port. The syntax is as follows:

    set logforwarder device-ip <IP Address> parser-port <Integer> ingestion-port <514|6514 default=514>

    So, for example, if you are sending Azure MFA logs from 10.33.5.5 to the sensor, you could either send them directly to port 5528 as you did in previous releases, or you could send them to the standard syslog port of 514 and use the following command on the sensor to relay them internally to 5528:

    set logforwarder device-ip 10.33.5.5 parser-port 5528

    This command tells the sensor to relay logs received on port 514 (the default, which is why it is not explicitly specified in the command above) from 10.33.5.5 to the vendor-specific parser port of 5528 for Azure MFA.

    You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the following command to relay them from 6514 to their vendor-specific parser port of 5544:

    set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514

Notes on Using the Port Relay Feature

Keep in mind the following tips when using the port relay feature:

  • Keep in mind that the sending log source must be on the same subnet as the receiving sensor. There must be no proxy capable of changing the log source IP between the sending log source and the receiving sensor.

  • When you create a port relay entry, the sensor listens for both UDP and TCP traffic from the specified source. You can see this with the show logforwarder port-ingestion command. For example:

  • The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries. You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.

  • You can remove port relay entries using unset logforwarder device-ip <IP Address>.

  • The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it in the show logforwarder port-ingestion output as inactive.

Generic Log Parsers

This table includes all supported generic log parser formats, the required firewall port, device type, and the associated Stellar Cyber index.

Use the msg_origin.source field in the Interflow to find the logs when threat hunting in the specified index.

In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser type (cef, leef).

When the Stellar Cyber Platform processes logs, it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.

Following are the firewall ports to open for generic log formats, along with other useful details.

Standard

Port

msg_origin.source Index Comments
CEF 5143 cef_device_vendor

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

The following vendor records are also indexed in IDPS/Malware Sandbox Events, with the threat field being normalized from logs as indicated below:

  • If cef_device_vendor: Check Point, then the threat field is normalized from attack_information.

  • If cef_device_vendor: F5, then the threat field is normalized from attack_type

  • If cef_device_vendor: SentinelOne, then the threat field is normalized from classification

Stellar Cyber recommends you use CEF, if available.
CEF2 5175 cef_device_vendor Traffic (srcip), Syslog (otherwise) -
Generic capture 5201 generic_capture Syslog -
Generic syslog 514 - - Use only if you must use a log forwarder.
HTTP JSON 5200 (tcp) httpjson Syslog When you configure your log forwarding for the HTTP JSON parser on this port, you must append /httpjson at the end of the URL of the target sensor. Example: http://<sensor-ip>:5200/httpjson
JSON stream 5142 json Syslog
JSON beats 5044 beats Syslog -
LEEF 5522 vendor Traffic (srcip), Syslog (otherwise) Stellar Cyber recommends you use LEEF, if available. It's primarily useful for logs from IBM QRadar, for which LEEF was developed.

Linux Syslog

5555

linux_syslogs

Syslog

 

RFC 3164

5140 syslog Syslog -
RFC 5424

5141

syslog Syslog -
RFC 5424 Enhanced

5589

syslog_rfc5424 Syslog

 

Vendor-specific Log Parsers

This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.

The msg_origin.source column specifies the vendor's product. Use the field in the Interflow to find the logs when threat hunting in the specified index. The msg_origin.category column specifies the overall category.

In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser name.

The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the IDPS/Malware Sandbox Events index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index.

Device

Port

msg_origin.source

msg_origin.category

Index

(OpnSense) Zenarmor plugin logs

5604

sunny_valley_networks_zenarmor

firewall

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AAA - Core (CEF)

5143

netiq_advance_auth

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Accops 5526 accops

vpn

Traffic (srcip), Syslog (otherwise)
AhnLab AIPS

5647

ahnlab_aips

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AhnLab EMS

5657

ahnlab_ems

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AhnLab EPP

5640

ahnlab_epp

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AhnLab Policy Center 5571 ahnlab_policy_center

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AhnLab TrusGuard 5558 ahnlab_trusguard

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AirGap Ransomware Kill Switch

5602

airgap_ransomware_kill_switch

saas

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AIX 5523 aix

unixlogs

Traffic (event_time: time format of hour:minute:second), Syslog (otherwise)

Alcatel Lucent Switch

5677

alcatel_lucent_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Aliyun / AliCloud 5545 aliyun

paas

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Android

5605

android

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Apache HTTP Server (httpd)

5663

apache_httpd

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Appgate VPN

5743

appgate_vpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AQTRONiX WebKnight

5658

aqtronix_webknight

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Aqua Cloud Native Application Protection Platform (CNAPP 2022.4)

5656

aquasecurity_cnapp

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Arbor Peakflow SP

5598

arbor_peakflow_sp

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Arista Networks Data Center Switch Router

5747

arista_data_center_switch_router

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks APV Series Load Balancing & App Delivery

5680

array_networks_apv

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks ASF 1800

5675

array_networks_asf_1800

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Array Networks Secure Access Gateway 5537 array_sag

vpn

Traffic (srcip), Syslog (otherwise)
Aruba ClearPass Policy Manager (CEF) 5143 aruba_clear_pass

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Aruba Switch 5577 aruba_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Automox 5183 automox

patch

Syslog

Avanan

5681

avanan

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Avanan (HTTP JSON)

5200 (tcp only)

avanan

email

Syslog

Avaya Switch

5607

avaya_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

AWS WAF

(HTTP JSON)

5200 (tcp only)

aws_waf

waf

Syslog

AXGATE Next Generation Firewall

5703

axgate_ngfw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Azure ATP (CEF) 5143 azure_atp

iam

Traffic (srcip, srcport, dstip, dstports, and proto), Syslog (otherwise)
Azure MFA 5528 azure_mfa

iam

Traffic (srcip), Syslog (otherwise)
Barracuda email 5559 barracuda_email

email

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Barracuda firewall 5524 barracuda_fw

firewall

IDPS/Malware Sandbox Events (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
Barracuda WAF 5524 barracuda_waf

waf

IDPS/Malware Sandbox Events (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)

BeyondTrust BeyondInsight

5621

beyondtrust_beyondinsight

iam

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

BeyondTrust PasswordSafe

5692

beyondtrust_passwordsafe

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Bitdefender (HTTP JSON)

(Syslog JSON)

Click here to configure log ingestion

5200 (tcp only)

5142

bitdefender

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

BlackBerry CylancePROTECT & CylanceOPTICS 5177

cylance
cylance_optics
cylance_protect

endpoint

Traffic (srcip), Syslog (otherwise)
BlueCoatProxySG 5576 bluecoat_proxysg

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Brocade switch (system & admin logs) 5548 brocade_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Calyptix UTM 5161 calyptix

firewall

IDPS/Malware Sandbox Events (ids.signature), Traffic (srcip), Syslog (otherwise)

Centos Audit

5673

centos_audit

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Centrify 5165 centrify

iam

Syslog
Cerberus FTP Logs

5635

cerverus_ftp

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Check Point - Application Control (CEF)

5143

fw_checkpoint

firewall

IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise)
Check Point - URL Filtering (CEF)

5143

fw_checkpoint

firewall

IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint appliance 5174 fw_checkpoint_appliance

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CheckPoint firewall

5519 fw_checkpoint

firewall

Traffic (srcip), Syslog (otherwise)

CheckPoint Harmony EP

5618

checkpoint_harmony_ep

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CheckPoint SmartCenter

5741

checkpoint_smartcenter

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CheckPoint VPN-1 & FireWall-1 (CEF)

5143

fw_checkpoint

firewall

IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cisco ACI

5717

cisco_aci

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Cisco ASA 5518 fw_cisco_asa

firewall

Traffic (srcip), Syslog (otherwise)

Cisco Catalyst Firewall

5702

cisco_catalyst_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Cisco Catalyst SD-WAN

5746

cisco_sd_wan

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cisco CUCM 5532 cisco_cucm

voip

Syslog
Cisco ESA 5562 cisco_esa

email

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ESA 5164 (deprecated) openldap_style

email

Syslog
Cisco Firepower

5168 ips_fire_power

firewall

Traffic (srcip), Syslog (otherwise)
Cisco IKE 5176 ciscovpn

vpn

Syslog

Cisco IronPort 5163 cisco_ironport

email

Syslog

Cisco ISE

5157 ciscoise

asset

Syslog

Cisco MDS 5563 cisco_mds

netlogs

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Meraki 5172 meraki

firewall

Traffic (srcip), Syslog (otherwise)

IDPS/Malware Sandbox Events (threat), (device_event_category,msg,signature,event_severity), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cisco Netflow 2055 (udp only) netflow

traffic

Traffic
Cisco routers and switches 5158 cisco_router_switch

netlogs

Syslog

Cisco Secure Network Analytics (Stealthwatch)

5719

cisco_secure_network_analytics

ndr

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Cisco UCS 5579 cisco_ucs

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Umbrella 5521 cisco_umbrella

dnssec

Syslog

Cisco VPN 5156 ciscovpn

vpn

Syslog

Cisco WLC 5531 cisco_wlc

wireless

Syslog

Citrix Access Gateway

5688

citrix_access_gateway

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Citrix NetScaler 5166 netscaler

netmgmt

Syslog

Citrix NetScaler (CEF)

5143

netscaler

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Citrix XenServer

5732

citrix_xenserver

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Commvault Metallic ThreatWise

5736

commvault_metallic_threatwise

mdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Comodo- CIS CCS (CEF)

5143

comodo

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ConnectWise ScreenConnect

5744

connectwise_screenconnect

remote_access

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CoreLight Sensor

Click here to configure log ingestion

5575 corelight_sensor

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CoSoSys Endpoint Protection

5654

cososys

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cribl default (Syslog JSON)

5142

json

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cribl / NXLog
(log -> NXLog ->Cribl)

(Syslog JSON)

5142

microsoft

endpoint

Windows Events

CrowdStrike (beats) 5044

crowdstrike

endpoint

Syslog

CrowdStrike (CEF) 5143

crowd_strike_falcon_host

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

CyberArk PTA (CEF)

Click here to configure log ingestion

5143

cyberark

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cygna Labs Cygna Auditor

5718

cygna_labs_cygna_auditor

paas

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Cynerio

5727

cynerio

iot

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Cynet (CEF)

5143

cynet

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

D-Link 5189 dlink

wireless

Traffic (srcip), Syslog (otherwise)
DBSafer 5181 dbsafer

dlp

Syslog

Deep Instinct

5628

deep_instinct

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dell EMC Powerstore

5683

dell_powerstore

storage

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dell iDRAC 5566 dell_idrac

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell Switch 5578 dell_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

DHCP (beats)

5044

dhcp

netmgmt

Traffic (srcmac), Syslog (otherwise)

DHCPD (ISC DHCP) 5554 dhcpd

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

DNSVault RPZdb

5639

dnsvault_rpzdb

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Dragos (CEF) 5539 dragos

otsec

Traffic (srcip), Syslog (otherwise)

DrayTek Firewall

5593

draytek_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ECS Suricata (HTTP JSON)

5200 (tcp only)

suricata

ndr

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ECS Windows (HTTP JSON)

5200 (tcp only)

microsoft_windows

endpoint

Windows Events (winlogevent)
eDictionary - eDictionary (CEF)

5143

edictionary

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Egnyte (Syslog JSON)

(HTTP JSON)

5142

5200 (tcp only)

egnyte

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ericom ZTEdge

5603

ericom_ztedge

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ESET PROTECT

5655

eset_protect

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Exium SASE (HTTP JSON)

5200 (tcp only)

exium_sase

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ExtraHop (CEF) 5143

extrahop

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Extreme AirDefense

5612

extreme_airdefense

idps

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Extreme Controller

5666

extreme_controller

wireless

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ExtremeCloud IQ Site Engine

5614

extreme_site_engine

asset

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Extreme Networks X690

5699

extreme_x690

asset

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

F5 - ASM (CEF)

5143

f5

waf

IDPS/Malware Sandbox Events (threat, normalized from attack_type), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP 5162 f5_big_ip

firewall

IDPS/Malware Sandbox Events (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP Telemetry (HTTP JSON)

5200 (tcp only) f5_big_ip

firewall

Syslog

F5 IPI 5536 f5_threat_intelligence

firewall

IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 iRule 5536 f5_irule firewall IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 L7 DDOS 5536 f5_l7ddos firewall IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 Mitigation 5536 f5_ddos firewall IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 NGINX 5151 nginx

weblogs

Syslog

F5 Silverline 5536 f5_silverline

firewall

IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)
F5 VPN 5187 f5_vpn

vpn

Syslog

F5 WAF 5536 f5_waf

waf

IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise)

FatPipe Networks SD-WAN

5583

fatpipe_sd_wan

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint

5143

forcepoint_dlp

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint - Firewall (CEF)

5143

forcepoint_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint -DLP (CEF)

5143

forcepoint

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint -Firewall (CEF)

5143

forcepoint

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Forcepoint Web Security (CEF) 5143

forcepoint

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ForeScout 5154 forescout

asset

Syslog

FortiADC

5725

fortinet_fortiadc

netlogs

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiAnalyzer 5542 forti_analyzer

ndr

IDPS/Malware Sandbox Events (vendor.attack_name), Traffic (dstip), Syslog (otherwise)

Fortinet FortiAuthenticator

5671

fortinet_fortiauthenticator

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiEDR

5661

fortinet_fortiedr

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet Forticloud FortiClient EMS Cloud Endpoint Management Services

5682

fortinet_forticlient_ems

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiGate 5517 fw_fortigate

firewall

Traffic (action), Syslog (otherwise)

Fortinet Fortigate (CEF)

5143

fw_fortigate

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiMail

5616

forti_mail

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiSandbox

5648

fortinet_fortisandbox

asset

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Fortinet FortiWeb

5642

fortinet_fortiweb

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

FutureSystems WeGuardia SSL plus (SSL VPN)

5651

future_systems_weguardia_ssl_plus

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Gatewatcher NDR

5684

gatewatcher_ndr

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Graylog format

5569

graylog

endpoint

Windows Events (winlogevent), IDPS/Malware Sandbox (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Guardicore (CEF)

5143

guardicore

cloudsec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

HanDreamnet VIPM

5676

handreamnet_vipm

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

HAProxy

5713

haproxy

websec

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Hewlett Packard UNIX

5585

hp-ux

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Hillstone 5514 fw_hillstone

firewall

IDPS/Malware Sandbox Events log_type: threat), Traffic (log_type: traffic),

HPE Nimble Storage

5731

hpe_nimble

storage

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

HPE Switch

5595

hpe_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

IBM AS400

5632

ibm_i

ibm_os_logs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Impero ContentKeeper

5670

impero_contentkeeper

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Incapsula SIEM Integration (CEF)

5143

incapsula

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Imperva - SecureSphere (CEF)

5143

imperva_secure_sphere

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Indusface Web Application Firewall

5582

indusface_waf

waf

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infoblox Data Connector (CEF)

5143

infoblox

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infoblox Network Identity OS (NIOS)

5587

infoblox_nios

dnssec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Infocyte HUNT (CEF)

5143

infocyte

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

IPFIX

4739 (udp only)

ipfix

traffic

Traffic

IronScales (CEF)

5143

ironscales_irontraps

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ivanti Pulse Secure

5712

ivanti_pulse_secure

iam

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Jsonar Database Security Tool

5586

jsonar_db_security_tool

dblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Juniper SRX 5173 fw_juniper_srx

firewall

Traffic (srcip), Syslog (otherwise)
Juniper SSG 5516 fw_juniper_ssg

firewall

Traffic (srcip), Syslog (otherwise)

Juniper Switch

5591

juniper_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

KasperskyLab (CEF)

5143

kasperskylab

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Kaspersky Security Center

5723

kaspersky_security_center

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

KeeperSecurity Enterprise

5710

keeper_security_enterprise

iam

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Kemp Technologies Load Master LB

5695

kemp_technologies_load_master_lb

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Keycloak

5653

keycloak

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Kubernetes

(HTTP JSON)

5200 (tcp only)

kubernetes

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Lancope - StealthWatch (LEEF)

5522

lancope_stealthwatch

firewall

Traffic (srcip), Syslog (otherwise)

LanScope Cat

5588

lanscope_cat

endpoint

Syslog

Lepide

5607

lepide

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Libraesva Email Security Gateway (ESG)

5742

libraesva_esg

email

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise

Linux Audit

5697

linux_audit

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Linux Syslog 5555 linux_syslog

unixlogs

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Logstash Suricata

5629

logstash_suricata

ndr

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Mailboarder Agent

5580

mailboarder_agent

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Mako Networks firewall 5547 mako_fw

firewall

Traffic (dstip), Syslog (otherwise)

ManageEngine ADAudit Plus

5679

manageengine_adaudit_plus

iam

Windows Events

ManageEngine ADAuditPlus (CEF) 5143 manageengine

iam

Windows Events

McAfee (CEF)

5143

If Web Gateway is in the product name, dev_type is set to: mcafee_web_gateway

Otherwise the value is determined from the CEF vendor field

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

McAfee Advanced Threat Defense

5584

mcafee_atd

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

McAfee ePolicy Orchestrator 5533 mcafee_epo

endpoint

Traffic (srcip), Syslog (otherwise)
McAfee Firewall 5169 mcafee_firewall

firewall

Traffic (srcip), Syslog (otherwise)
McAfee Network Security 5527 mcafee_ns

ipds

Traffic (srcip), Syslog (otherwise)

McAfee Proxy

5739

mcafee_proxy

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MCAS SIEM Agent (CEF)

5143

mcas

firewall

Windows Events

Medigate

5631

medigate

iotsec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Melapress WordPress

5714

melapress_wordpress

websec

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Menlo Security MS-XL50M

5630

menlo

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Microsoft IIS

5636

microsoft_iis

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Microsoft IIS (Syslog JSON) 5142 json

weblogs

Syslog

Microsoft Office 365

5627

office365

office_suite

Windows Events

Microsoft Windows Event

5646

microsoft_windows_event

endpoint

Windows Events (winlogevent), Syslog (otherwise)

Microsoft Windows via Graylog

5569

microsoft_windows

endpoint

Windows Events (winlogevent)

MicroWorld eScan

5645

microworld_escan

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MikroTik firewall and router 5553 mikrotik

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MONITORAPP AI WAF 4.1

5613

monitorapp_ai_waf

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

MONITORAPP WAF 1.0 5535 monitor_app

websec

Traffic (srcip), Syslog (otherwise)

Nasuni

5592

nasuni

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetApp

5608

netapp

dblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Netfilter 5544 netfilter

netlogs

Traffic (dstip), Syslog (otherwise)
NetIQ - Identity Manager (CEF)

5143

netiq_identity_manager

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetIQ Access Manager 5167 access_manager

iam

Syslog

NetIQ SSO 5171 netiqsso

iam

Syslog

Netman Smart NAC

5650

netman_smart_nac

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NetMotion

5641

absolute_netmotion

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Nutanix NX

5724

nutanix_nx

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NVIDIA Mellanox Switch

5734

nvidia_mellanox_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

NXLog

(Also see Crib, above)

5601

nxlog

paas

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OneLogin

5581

one_login

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Open LDAP

(for Cisco ESA, use 5562)

5164 openldap_style

email

Syslog

OpenCanary

5638

opencanary

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OpenShift 5573 redhat_openshift

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
OpenVPN

5643

openvpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

OPNsense

5660

opnsense

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Oracle DB 5170 oracle

dblogs

Traffic (srcip), Syslog (otherwise)

Oracle Solaris

5664

oracle_solaris

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Ordr Connected Device Security

5622

ordr_cds

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

PacketFence

5686

packetfence

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Palo Alto Networks Next Generation Firewall (LEEF) 5522

fw_palo_alto

firewall

Traffic (srcip), Syslog (otherwise)

Palo Alto Networks - Traps Agent (CEF)

5143

palo_alto_networks_traps_agent

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Palo Alto Networks Next-Generation Firewall and Panorama (BSD syslog and CSV)

5515 fw_palo_alto

firewall

Traffic (type: traffic), IDPS/Malware Sandbox Events (type: threat), Syslog (otherwise)

Palo Alto Networks Firewall via Graylog

5569

fw_palo_alto

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Palo Alto Networks Prisma Cloud (Compute Edition)

5720

palo_alto_networks_prisma_cloud

cloudsec

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Penta Security WAPPLES WAF 5560 penta_security_wapples

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Pentera Appliance

5737

pentera_appliance

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Peplink XDR

5665

peplink_xdr

xdr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Perception Point X-Ray

5667

perceptionpoint_xray

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

pfSense Firewall 5543 pfsense_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog

PIOLINK WEBFRONT-K

5617

piolink_webfront_k

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

PNPSECURE NODESAFER

5711

pnpsecure_nodesafer

dblogs

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

PrintChaser 5179 printchaser

dlp

Syslog

Privacy-i 5178 privacy

dlp

Syslog

Proofpoint

5596
(5160 is deprecated)

proofpoint

email

Syslog

Prophaze WAF

5733

prophaze_waf

waf

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Pulse Secure 5534 pulse_secure

vpn

Syslog

QNAP QTS

5726

qnap_qts

storage

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Qumulo Core

5704

qumulo_core

storage

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Radware Alteon

5700

radware_alteon

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Radware DefensePro

5619

radware_defense_pro

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Rapid7 5153 rapid7

security_scan

Syslog

RazLeeSecurity - Audit (CEF)

5143

ibm_raz_lee_security

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Relianoid WAF

5730

relianoid_waf

waf

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

RSA Authentication Manager 5184 rsa_auth

nsa

Syslog

Ruckus ZoneDirector

5662

ruckus_zone_director

wireless

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

RuiJie Switch

5689

ruijie_switch

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SafePC 5180 safepc

cloudsec

Syslog

Sangfor EDR

5701

sangfor_edr

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Sangfor NGAF

5637

sangfor_ngaf

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sectona PAM

5721

sectona_pam

iam

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

SECUI Firewall 5561 secui_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MF2 Firewall 5570 secui_mf2

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MFD 5611 secui_mfd

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Secureki APPM

5693

secureki_appm

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Security Strategy Research (SSR) Metieye

5572 ssr_metieye

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Secuway SSLVPN 
(U v1.0 / M v3.0, v3.1

5652

secuwiz_secuway_sslvpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne (CEF2)

Click here to configure log ingestion

5175 cef_device_vendor

endpoint

Traffic (srcip), Syslog (otherwise)

SentinelOne Mgmt (CEF)

5143

sentinelone_endpoint

endpoint

IDPS/Malware Sandbox Events (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne Security Center (CEF)

5143

sentinelone_endpoint

endpoint

IDPS/Malware Sandbox Events (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SentinelOne Singularity Mobile

5623

sentineone_sm

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ServiceNow Now Platform

5668

servicenow_nowplatform

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ShareTech Firewall

5609

sharetech_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Snare Agent

5590

snare_agent

paas

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sniper IPS 5182 sniperips

idps

Traffic (srcip), Syslog (otherwise)
SonicWall - NSA 2400 (CEF)

5143

sonicwall_nsa

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

SonicWall Firewall 5152 sonicfw

firewall

IDPS/Malware Sandbox Events (IDS signature), Traffic (srcip), Syslog (otherwise)
SonicWall VPN 5556 sonicwall_vpn

vpn

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sophos (CEF)

5143

sophos

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Sophos (JSON) 5530 sophos

endpoint

Traffic (endpoint_type: traffic), IDPS/Malware Sandbox Events (endpoint_type: threat), Syslog (endpoint_type: computer)
Sophos endpoint 5565

endpoint_sophos

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos endpoint (beats) 5044 endpoint_sophos

endpoint

Traffic (srcip), Syslog (otherwise)
Sophos firewall 5520 fw_sophos

firewall

Data goes to the indicated index based on the log_type:

  • If Firewall, then Traffic index

  • If any one of IDP, Anti-Virus, Anti-Spam, or Content Filter it goes to IDPS/Malware Sandbox Events Index

  • For any other log_type, if srcip exists then it goes to the Traffic Index

  • All other data goes to the Syslog index

Sophos Web Appliance

5626

sophos_web_app

websec

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Splashtop

5698

splashtop

asset

Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise)

Splunk Heavy Forwarder 5188 splunk_forwarder

netmgmt

Syslog

Stormshield Net Security Firewall

5625

stormshield_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec Endpoint Protection 5525 symantec_ep

endpoint

Traffic (dstip), Syslog (otherwise)
Symantec Firewall 5155 symantec

firewall

Syslog

Symantec Messaging Gateway 5567 symantec_messaging_gateway

email

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec DLP (CEF) 5143 symantec

symantec_dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Synology Directory Server

5597

synology_directory_server

asset

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Syslog4Net

5715

syslog4net

log_processing

Windows Events (winlogevent), Syslog (otherwise)

Thales Group CipherTrust Manager

5674

thales_cipher_trust_manager

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ThreatLocker Zero Trust EPP

5200 (tcp only)

threat_locker_zero_trust_epp

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trellix FireEye HX

5644

fireeye_hx

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro - Deep Security Agent (LEEF) 5522

trendmicro_dsa

endpoint

Traffic (srcip), Syslog (otherwise)

Trend Micro Apex Central (CEF)

5143

trendmicro_apex_central

endpoint

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro Interscan Messaging

5678

trend_micro_interscan_messaging

saas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Trend Micro Proxy 5540 trendmicro_proxy

websec

Traffic (dstip), Syslog (otherwise)

Trend Micro TippingPoint

5672

trend_micro_tippingpoint

idps

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Tripwire Enterprise 5186 tripwire

endpoint

Syslog

Ubiquiti UAP-AC-Pro 5552 ubiquiti

netlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

UMV WSS (Web Server Safeguard)

5709

umv_wss

ndr

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Unix

5633

unix

unixlogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Untangle Firewall (Syslog JSON)

5142

json

firewall

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Varonis DatAdvantage (CEF) 5143 varonis_datadvantage

dlp

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Vectra AI Platform

5738

vectra_ai_platform

xdr

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Versa Networks Firewall 5568 versa_networks_fw

firewall

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware - Carbon Black (LEEF) 5522

vmware_cb

endpoint

Traffic (srcip), Syslog (otherwise)

VMware ESXi

5600 vmware

unixlogs

Syslog

VMWare Horizon

5687

vmware_horizon

paas

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware NSX-T Data Center 5574 vmware_nsx_t

endpoint (unless log type is dfwpktlogs, then category is firewall)

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware UAG

5620

vmware_uag

iam

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMware Vcenter

5615

vmware_vcenter

itsm

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

VMWare VeloCloud SD-WAN

5685

vmware_velocloud_sdwan

netmgmt

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

WatchGuard - XTM (LEEF) 5522

watchguard_fw

firewall

Traffic (srcip), Syslog (otherwise)

WatchGuard firewall security appliance 5557 watchguard_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Wazuh

5634

wazuh_siem

endpoint

Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows DNS Server

5599

windows_dns_server

weblogs

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows Event NXLog

Click here to configure HostIP

5601

microsoft_windows

endpoint

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Windows System Security

5610

windows_system_security

endpoint

Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Wins IPS ONE-1 / Wins DDX 5538 winsips

idps

IDPS/Malware Sandbox Events (vendor.attack_name), Syslog (otherwise)
WINS Sniper NGFW

5649

wins_sniper_ngfw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Zeek (NXLog method)

5142

json

json

Syslog

Zix Mail 5185 zix_mail

email

Traffic (srcip), Syslog (otherwise)

Zscaler NSSWeblog (CEF)

5143

zscaler

websec

Syslog

Zscaler ZIA Firewall 5549 zscaler_zia_fw

firewall

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZIA Web 5550 zscaler_zia_web

weblogs

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZPA 5551 zscaler_zpa

vpn

IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Zyxel Firewall

5594

zyxel_fw

firewall

Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Parsers that Support Line Breaks in Messages Delivered over TCP

Most syslogs that are sent over TCP use ASCII LF (represented as \n) as a TRAILER character to terminate individual messages within the larger transmission. (This is the non-transparent-framing method described in section 3.4.2 in RFC 6587 - Transmission of Syslog Messages over TCP.) Unfortunately, if a log uses LF (\n) as a line break within a message, parsers recognize it as a TRAILER character and split it into multiple parts, depending on the number of line breaks involved. This results in the erroneous creation of multiple “messages” that are really just parts of one single message.

There are exceptions however. The following parsers can receive logs delivered over TCP with LF (\n) line breaks because these logs include fixed HEADER and TRAILER characters, which the parsers use to isolate messages:

  • Aliyun/AliCloud on port 5545

  • Avanan on port 5681

  • BeyondTrust BeyondInsight on port 5621

  • CheckPoint Firewall on port 5519

  • FortiADC on port 5725

  • Indusface Web Application Firewall on port 5582

  • Monitorapp on port 5535

  • Splunk Heavy Forwarder on port 5188

  • Windows System Security on port 5610

  • The following HTTP JSON parsers that listen on TCP 5200 also support LF line breaks within syslog messages.

    When only one product is sending logs to TCP 5200 on a sensor, the URL doesn’t need to include the product name to identify it. However, when there is more than one and you want to differentiate them, include the product name. Example for Avanan: https://<sensor_ip_addr>:5200/httpjson or https://<sensor_ip_addr>:5200/httpjson_avanan

    • Avanan – httpjson or httpjson_avanan

    • AWS WAF – httpjson or httpjson_awf_waf

    • Bitdefender – httpjson or httpjson_bitdefender_multiple_event

    • ECS Suricata – httpjson or httpjson_ecs or httpjson_ecs_suricata

    • ECS Windows – httpjson or httpjson_ecs or httpjson_ecs_windows

    • Egnyte – httpjson or httpjson_egnyte

    • Exium SASE – httpjson or httpjson_exium_sase

    • FS BIG-IP Telemetry – httpjson or httpjson_fs_telemetry_streaming

    • Kubernetes – httpjson or httpjson_kubernetes

    • ThreatLocker Zero Trust EPP – httpjson or httpjson_threat_locker_zero_trust_epp

In addition to the non-transparent-framing method to separate log messages, section 3.4.1 in RFC 6587 - Transmission of Syslog Messages over TCP describes another method: octet counting. The Fortinet FortiGate parser supports this as well as non-transparent-framing, checking the first character in a frame to determine which method is being used. If a log sent to the Fortinet FortiGate parser on TCP port 5517 contains an LF (\n) line break, then the octet counting method must be used. Otherwise, either method works.

In summary, only the parsers listed above can process logs that include \n and are sent over TCP. All parsers support logs sent over UDP because a UDP datagram contains just one syslog message inside; therefore, parsers don’t need to separate multiple syslog messages from a single transmission.