Log Parser Ports
Stellar Cyber sensors require open inbound ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor but you must open the appropriate ports on your firewall. This topic lists the supported log parsers and related details. Log parsers are organized in the following categories:
Also see: Firewall Requirements
Unless otherwise noted, the ports listed are applicable for both UDP and TCP.
During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.
Choosing an Ingestion Port
Sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases, Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process vendor-specific logs in a more detailed manner. If you can identify a more specific port for your log type than port 514, you:
-
Speed up your data ingestion and log parsing, and increase sensor performance, because the sensor already knows the source device
-
Retain the correct log source, because logs received on port 514 have the source set to
local
when forwarded to the data processor
Use the following as a guide:
-
If the logs are in standard Common Event Format (CEF), Log Event Extended Format (LEEF), or JavaScript Object Notation (JSON) format, forward to the data to the port specific to that standard as listed in Generic Log Parsers.
-
If the logs are in standard Syslog format use the port applicable for that vendor.
-
If the logs are in a specialized format such as a Syslog and regular expression or key: value pairs or csv, use the Vendor-specific ports.
Generic Log Parsers
This table includes all supported generic log parser formats, the required firewall port, device type, and the associated Stellar Cyber index.
Use the msg_origin.source
field in the Interflow to find the logs when threat hunting in the specified index.
In the Interflow, there are also fields for msg_origin.processor.type
, which is always log_forwarder for log parsers, and msg_origin.processor.name
, which stores specific components of the parser, such as the parser type (cef, leef).
When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.
Following are the firewall ports to open for generic log formats, along with other useful details.
Standard |
Port |
msg_origin.source | Index | Comments |
---|---|---|---|---|
CEF | 5143 | cef_device_vendor |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) The following vendor records are also indexed in ML IDS / Malware, with the threat field being normalized from logs as indicated below:
|
Stellar Cyber recommends you use CEF, if available. |
CEF2 | 5175 | cef_device_vendor | Traffic (srcip), Syslog (otherwise) | - |
Generic capture | 5201 | generic_capture | Syslog | - |
Generic syslog | 514 | - | - | Use only if you must use a log forwarder. |
HTTP JSON | 5200 (tcp) | httpjson | Syslog | When you configure your log forwarding for the HTTP JSON parser on this port, you must append /httpjson at the end of the URL of the target sensor. Example: http://<sensor-ip>:5200/httpjson |
JSON stream | 5142 | json | Syslog | |
JSON beats | 5044 | beats | Syslog | - |
LEEF | 5522 | vendor | Traffic (srcip), Syslog (otherwise) | Stellar Cyber recommends you use LEEF, if available. It's primarily useful for logs from IBM QRadar, for which LEEF was developed. |
Linux Syslog |
5555 |
linux_syslogs |
Syslog |
|
RFC 3164 |
5140 | syslog | Syslog | - |
RFC 5424 |
5141 |
syslog | Syslog | - |
RFC 5424 Enhanced |
5589 |
syslog_rfc5424 | Syslog |
|
Vendor-specific Log Parsers
This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.
The msg_origin.source
column specifies the vendor's product. Use the field in the Interflow to find the logs when threat hunting in the specified index. The msg_origin.category
column specifies the overall category.
In the Interflow, there are also fields for msg_origin.processor.type
, which is always log_forwarder for log parsers, and msg_origin.processor.name
, which stores specific components of the parser, such as the parser name.
The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type
field in the Interflow to find the logs when threat hunting in the specified index.
Device |
Port |
msg_origin.source |
msg_origin.category |
Index |
---|---|---|---|---|
(OpnSense) Zenarmor plugin logs |
5604 |
sunny_valley_networks_zenarmor |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AAA - Core (CEF) |
5143 |
netiq_advance_auth |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Accops | 5526 | accops |
vpn |
Traffic (srcip), Syslog (otherwise) |
Ahnlab AIPS |
5647 |
ahnlab_aips |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ahnlab EMS |
5657 |
ahnlab_ems |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ahnlab EPP |
5640 |
ahnlab_epp |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab Policy Center | 5571 | ahnlab_policy_center |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab TrusGuard | 5558 | ahnlab_trusguard |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AirGap Ransomware Kill Switch |
5602 |
airgap_ransomware_kill_switch |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AIX | 5523 | aix |
unixlogs |
Traffic (event_time: time format of hour:minute:second), Syslog (otherwise) |
Alcatel Lucent Switch |
5677 |
alcatel_lucent_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aliyun / AliCloud | 5545 | aliyun |
paas |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Android |
5605 |
android |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Apache HTTP Server (httpd) |
5663 |
apache_httpd |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AQTRONiX WebKnight |
5658 |
aqtronix_webknight |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aqua Cloud Native Application Protection Platform (CNAPP 2022.4) |
5656 |
aquasecurity_cnapp |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Arbor Peakflow SP |
5598 |
arbor_peakflow_sp |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks APV Series Load Balancing & App Delivery |
5680 |
array_networks_apv |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks ASF 1800 |
5675 |
array_networks_asf_1800 |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks Secure Access Gateway | 5537 | array_sag |
vpn |
Traffic (srcip), Syslog (otherwise) |
Aruba ClearPass Policy Manager (CEF) | 5143 | aruba_clear_pass |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aruba Switch | 5577 | aruba_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Automox | 5183 | automox |
patch |
Syslog |
Avanan |
5681 |
avanan |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Avanan (HTTP JSON) |
5200 (tcp only) |
avanan |
|
Syslog |
Avaya Switch |
5607 |
avaya_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AWS WAF (HTTP JSON) |
5200 (tcp only) |
aws_waf |
waf |
Syslog |
Azure ATP (CEF) | 5143 | azure_atp |
iam |
Traffic (srcip, srcport, dstip, dstports, and proto), Syslog (otherwise) |
Azure MFA | 5528 | azure_mfa |
iam |
Traffic (srcip), Syslog (otherwise) |
Barracuda email | 5559 | barracuda_email |
|
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Barracuda firewall | 5524 | barracuda_fw |
firewall |
ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
Barracuda WAF | 5524 | barracuda_waf |
waf |
ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
BeyondTrust BeyondInsight |
5621 |
beyondtrust_beyondinsight |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
BeyondTrust PasswordSafe |
5692 |
beyondtrust_passwordsafe |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Bitdefender (HTTP JSON) (Syslog JSON) |
5200 (tcp only) 5142 |
bitdefender |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
BlackBerry CylancePROTECT & CylanceOPTICS | 5177 |
cylance |
endpoint |
Traffic (srcip), Syslog (otherwise) |
BlueCoatProxySG | 5576 | bluecoat_proxysg |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Brocade switch (system & admin logs) | 5548 | brocade_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Calyptix UTM | 5161 | calyptix |
firewall |
ML IDS/Malware (ids.signature), Traffic (srcip), Syslog (otherwise) |
Centos Audit |
5673 |
centos_audit |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Centrify | 5165 | centrify |
iam |
Syslog |
Cerberus FTP Logs |
5635 |
cerverus_ftp |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Check Point - Application Control (CEF) |
5143 |
fw_checkpoint |
firewall |
ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise) |
Check Point - URL Filtering (CEF) |
5143 |
fw_checkpoint |
firewall |
ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CheckPoint appliance | 5174 | fw_checkpoint_appliance |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CheckPoint firewall | 5519 | fw_checkpoint |
firewall |
Traffic (srcip), Syslog (otherwise) |
CheckPoint Harmony EP |
5618 |
checkpoint_harmony_ep |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CheckPoint VPN-1 & FireWall-1 (CEF) |
5143 |
fw_checkpoint |
firewall |
ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco ASA | 5518 | fw_cisco_asa |
firewall |
Traffic (srcip), Syslog (otherwise) |
Cisco CUCM | 5532 | cisco_cucm |
voip |
Syslog |
Cisco ESA | 5562 | cisco_esa |
|
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco ESA | 5164 (deprecated) | openldap_style |
|
Syslog |
Cisco Firepower | 5168 | ips_fire_power |
firewall |
Traffic (srcip), Syslog (otherwise) |
Cisco IKE | 5176 | ciscovpn |
vpn |
Syslog |
Cisco IronPort | 5163 | cisco_ironport |
|
Syslog |
Cisco ISE | 5157 | ciscoise |
asset |
Syslog |
Cisco MDS | 5563 | cisco_mds |
netlogs |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Meraki | 5172 | meraki |
firewall |
Traffic (srcip), Syslog (otherwise) ML IDS/Malware (threat), (device_event_category,msg,signature,event_severity), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Netflow | 2055 (udp only) | netflow |
traffic |
Traffic |
Cisco routers and switches | 5158 | cisco_router_switch |
netlogs |
Syslog |
Cisco UCS | 5579 | cisco_ucs |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Umbrella | 5521 | cisco_umbrella |
dnssec |
Syslog |
Cisco VPN | 5156 | ciscovpn |
vpn |
Syslog |
Cisco WLC | 5531 | cisco_wlc |
wireless |
Syslog |
Citrix Access Gateway |
5688 |
citrix_access_gateway |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Citrix NetScaler | 5166 | netscaler |
netmgmt |
Syslog |
Citrix NetScaler (CEF) |
5143 |
netscaler |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CoSoSys Endpoint Protection |
5654 |
cososys |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Comodo- CIS CCS (CEF) |
5143 |
comodo |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CoreLight Sensor |
5575 | corelight_sensor |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cribl default (Syslog JSON) |
5142 |
json |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cribl / NXLog (Syslog JSON) |
5142 |
microsoft |
endpoint |
Windows Events |
CrowdStrike (beats) | 5044 |
crowdstrike |
endpoint |
Syslog |
CrowdStrike (CEF) | 5143 |
crowdstrike |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CyberArk PTA (CEF) |
5143 |
cyberark |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cynet (CEF) |
5143 |
cynet |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
D-Link | 5189 | dlink |
wireless |
Traffic (srcip), Syslog (otherwise) |
DBSafer | 5181 | dbsafer |
dlp |
Syslog |
Deep Instinct |
5628 |
deep_instinct |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell EMC Powerstore |
5683 |
dell_powerstore |
storage |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell iDRAC | 5566 | dell_idrac |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell Switch | 5578 | dell_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
DHCP (beats) |
5044 |
dhcp |
netmgmt |
Traffic (srcmac), Syslog (otherwise) |
DHCPD (IS DHCP) | 5554 | dhcpd |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
DNSVault RPZdb |
5639 |
dnsvault_rpzdb |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dragos (CEF) | 5539 | dragos |
otsec |
Traffic (srcip), Syslog (otherwise) |
DrayTek Firewall |
5593 |
draytek_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
eDictionary - eDictionary (CEF) |
5143 |
edictionary |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Egnyte (Syslog JSON) (HTTP JSON) |
5142 5200 (tcp only) |
egnyte |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ericom ZTEdge |
5603 |
ericom_ztedge |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ESET PROTECT |
5655 |
eset_protect |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ExtraHop (CEF) | 5143 |
extrahop |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Extreme AirDefense |
5612 |
extreme_airdefense |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Extreme Controller |
5666 |
extreme_controller |
wireless |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ExtremeCloud IQ Site Engine |
5614 |
extreme_site_engine |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
F5 - ASM (CEF) |
5143 |
f5 |
waf |
ML IDS/Malware (threat, normalized from attack_type), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP | 5162 | f5_big_ip |
firewall |
ML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP Telemetry (HTTP JSON) | 5200 (tcp only) | f5_big_ip |
firewall |
Syslog |
F5 IPI | 5536 | f5_threat_intelligence |
firewall |
ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 iRule | 5536 | f5_irule | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 L7 DDOS | 5536 | f5_l7ddos | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 Mitigation | 5536 | f5_ddos | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 NGINX | 5151 | nginx |
weblogs |
Syslog |
F5 Silverline | 5536 | f5_silverline |
firewall |
ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 VPN | 5187 | f5_vpn |
vpn |
Syslog |
F5 WAF | 5536 | f5_waf |
waf |
ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
FatPipe Networks SD-WAN |
5583 |
fatpipe_sd_wan |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
FluentD (HTTP JSON) | 5200 (tcp only) |
kubernetes |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint |
5143 |
forcepoint_dlp |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint - Firewall (CEF) |
5143 |
forcepoint_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint -DLP (CEF) |
5143 |
forcepoint |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint -Firewall (CEF) |
5143 |
forcepoint |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint Web Security (CEF) | 5143 |
forcepoint |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ForeScout | 5154 | forescout |
asset |
Syslog |
Fortinet FortiAnalyzer | 5542 | forti_analyzer |
ndr |
ML IDS/Malware (vendor.attack_name), Traffic (dstip), Syslog (otherwise) |
Fortinet FortiAuthenticator |
5671 |
fortinet_fortiauthenticator |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiEDR |
5661 |
fortinet_fortiedr |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet Forticloud FortiClient EMS Cloud Endpoint Management Services |
5682 |
fortinet_forticlient_ems |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiGate | 5517 | fw_fortigate |
firewall |
Traffic (action), Syslog (otherwise) |
Fortinet Fortigate (CEF) |
5143 |
fw_fortigate |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiMail |
5616 |
forti_mail |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiSandbox |
5648 |
fortinet_fortisandbox |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiWeb |
5642 |
fortinet_fortiweb |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
FutureSystems WeGuardia SSL plus (SSL VPN) |
5651 |
future_systems_weguardia_ssl_plus |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Graylog format |
5569 |
graylog |
endpoint |
Windows Events (winlogevent), ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Guardicore (CEF) |
5143 |
guardicore |
cloudsec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
HanDreamnet VIPM |
5676 |
handreamnet_vipm |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Hewlett Packard UNIX |
5585 |
hp-ux |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Hillstone | 5514 | fw_hillstone |
firewall |
ML IDS/Malware log_type: threat), Traffic (log_type: traffic), |
HPE Switch |
5595 |
hpe_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
IBM AS400 |
5632 |
ibm_i |
ibm_os_logs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Impero ContentKeeper |
5670 |
impero_contentkeeper |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Incapsula SIEM Integration (CEF) |
5143 |
incapsula |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Imperva - SecureSphere (CEF) |
5143 |
imperva_secure_sphere |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Indusface Web Application Firewall |
5582 |
indusface_waf |
waf |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infoblox Data Connector (CEF) |
5143 |
infoblox |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infoblox Network Identity OS (NIOS) |
5587 |
infoblox_nios |
dnssec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infocyte HUNT (CEF) |
5143 |
infocyte |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
IronScales (CEF) |
5143 |
ironscales_irontraps |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
IPFIX |
4739 (udp only) |
ipfix |
traffic |
Traffic (srcip, srcport, dstip, dstport, and proto) |
Jsonar Database Security Tool |
5586 |
jsonar_db_security_tool |
dblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Juniper SRX | 5173 | fw_juniper_srx |
firewall |
Traffic (srcip), Syslog (otherwise) |
Juniper SSG | 5516 | fw_juniper_ssg |
firewall |
Traffic (srcip), Syslog (otherwise) |
Juniper Switch |
5591 |
juniper_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
KasperskyLab (CEF) |
5143 |
kasperskylab |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Kemp Technologies Load Master LB |
5695 |
kemp_technologies_load_master_lb |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Keycloak |
5653 |
keycloak |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Lancope - StealthWatch (LEEF) |
5522 |
lancope_stealthwatch |
firewall |
Traffic (srcip), Syslog (otherwise) |
LanScope Cat |
5588 |
lanscope_cat |
endpoint |
Syslog |
Lepide |
5607 |
lepide |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Linux Syslog | 5555 | linux_syslog |
unixlogs |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Logstash Suricata |
5629 |
logstash_suricata |
ndr |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Mailboarder Agent |
5580 |
mailboarder_agent |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Mako Networks firewall | 5547 | mako_fw |
firewall |
Traffic (dstip), Syslog (otherwise) |
ManageEngine ADAudit Plus |
5679 |
manageengine_adaudit_plus |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ManageEngine ADAuditPlus (CEF) | 5143 | manageengine |
iam |
Windows Events |
McAfee (CEF) |
5143 |
If Web Gateway is in the product name, dev_type is set to: mcafee_web_gateway Otherwise the value is determined from the CEF vendor field |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
McAfee Advanced Threat Defense |
5584 |
mcafee_atd |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
McAfee ePolicy Orchestrator | 5533 | mcafee_epo |
endpoint |
Traffic (srcip), Syslog (otherwise) |
McAfee Firewall | 5169 | mcafee_firewall |
firewall |
Traffic (srcip), Syslog (otherwise) |
McAfee Network Security | 5527 | mcafee_ns |
ipds |
Traffic (srcip), Syslog (otherwise) |
MCAS SIEM Agent (CEF) |
5143 |
mcas |
firewall |
Windows Events |
Medigate |
5631 |
medigate |
iotsec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Menlo Security MS-XL50M |
5630 |
menlo |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Microsoft IIS |
5636 |
microsoft_iis |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Microsoft IIS (Syslog JSON) | 5142 | json |
weblogs |
Syslog |
Microsoft Office 365 |
5627 |
office365 |
office_suite |
Windows Events |
Microsoft Windows Event |
5646 |
microsoft_windows_event |
endpoint |
Windows Events (winlogevent), Syslog (otherwise) |
Microsoft Windows via Graylog |
5569 |
microsoft_windows |
endpoint |
Windows Events (winlogevent) |
MicroWorld eScan |
5645 |
microworld_escan |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MikroTik firewall and router | 5553 | mikrotik |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MONITORAPP AI WAF 4.1 |
5613 |
monitorapp_ai_waf |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MONITORAPP WAF 1.0 | 5535 | monitor_app |
websec |
Traffic (srcip), Syslog (otherwise) |
Nasuni |
5592 |
nasuni |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetApp |
5608 |
netapp |
dblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Netfilter | 5544 | netfilter |
netlogs |
Traffic (dstip), Syslog (otherwise) |
NetIQ - Identity Manager (CEF) |
5143 |
netiq_identity_manager |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetIQ Access Manager | 5167 | access_manager |
iam |
Syslog |
NetIQ SSO | 5171 | netiqsso |
iam |
Syslog |
Netman Smart NAC |
5650 |
netman_smart_nac |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetMotion |
5641 |
absolute_netmotion |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NXLog (Also see Crib, above) |
5601 |
nxlog |
paas |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OneLogin |
5581 |
one_login |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Open LDAP (for Cisco ESA, use 5562) |
5164 | openldap_style |
|
Syslog |
OpenCanary |
5638 |
opencanary |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OpenShift | 5573 | redhat_openshift |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OpenVPN |
5643 |
openvpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OPNsense |
5660 |
opnsense |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Oracle DB | 5170 | oracle |
dblogs |
Traffic (srcip), Syslog (otherwise) |
Oracle Solaris |
5664 |
oracle_solaris |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ordr Connected Device Security |
5622 |
ordr_cds |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
PacketFence |
5686 |
packetfence |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Palo Alto Networks - Next Generation Firewall (LEEF) | 5522 |
fw_palo_alto |
firewall |
Traffic (srcip), Syslog (otherwise) |
Palo Alto Networks - Traps Agent (CEF) |
5143 |
palo_alto_networks_traps_agent |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Palo Alto Networks Next-Generation Firewall and Panorama (BSD syslog and CSV) |
5515 | fw_palo_alto |
firewall |
Traffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise) |
Palo Alto Networks Firewall via Graylog |
5569 |
fw_palo_alto |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Penta Security WAPPLES WAF | 5560 | penta_security_wapples |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Peplink XDR |
5665 |
peplink_xdr |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Perception Point X-Ray |
5667 |
perceptionpoint_xray |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
pfSense Firewall | 5543 | pfsense_fw |
firewall |
Syslog |
PIOLINK WEBFRONT-K |
5617 |
piolink_webfront_k |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
PrintChaser | 5179 | printchaser |
dlp |
Syslog |
Privacy-i | 5178 | privacy |
dlp |
Syslog |
Proofpoint |
5596 |
proofpoint |
|
Syslog |
Pulse Secure | 5534 | pulse_secure |
vpn |
Syslog |
Radware DefensePro |
5619 |
radware_defense_pro |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Rapid7 | 5153 | rapid7 |
security_scan |
Syslog |
RazLeeSecurity - Audit (CEF) |
5143 |
ibm_raz_lee_security |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
RSA Authentication Manager | 5184 | rsa_auth |
nsa |
Syslog |
Ruckus ZoneDirector |
5662 |
ruckus_zone_director |
wireless |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
RuiJie Switch |
5689 |
ruijie_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SafePC | 5180 | safepc |
cloudsec |
Syslog |
Sangfor NGAF |
5637 |
sangfor_ngaf |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI Firewall | 5561 | secui_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI MF2 Firewall | 5570 | secui_mf2 |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI MFD | 5611 | secui_mfd |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Secureki APPM 6 |
5693 |
secureki_appm |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Security Strategy Research (SSR) Metieye |
5572 | ssr_metieye |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Secuway SSLVPN |
5652 |
secuwiz_secuway_sslvpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne (CEF2) |
5175 | cef_device_vendor |
endpoint |
Traffic (srcip), Syslog (otherwise) |
SentinelOne Mgmt (CEF) |
5143 |
sentinelone_endpoint |
endpoint |
ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne Security Center (CEF) |
5143 |
sentinelone_endpoint |
endpoint |
ML IDS/Malware (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne Singularity Mobile |
5623 |
sentineone_sm |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ServiceNow Now Platform |
5668 |
servicenow_nowplatform |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ShareTech Firewall |
5609 |
sharetech_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Snare Agent |
5590 |
snare_agent |
paas |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sniper IPS | 5182 | sniperips |
idps |
Traffic (srcip), Syslog (otherwise) |
SonicWall (CEF) | 5143 |
sonicwall |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SonicWall - NSA 2400 (CEF) |
5143 |
sonicwall_nsa |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SonicWall Firewall | 5152 | sonicfw |
firewall |
ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise) |
SonicWall VPN | 5556 | sonicwall_vpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos (CEF) |
5143 |
sophos |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos (JSON) | 5530 | sophos |
endpoint |
Traffic (endpoint_type: traffic), ML IDS/Malware (endpoint_type: threat), Syslog (endpoint_type: computer) |
Sophos endpoint | 5565 |
endpoint_sophos |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos endpoint (beats) | 5044 | endpoint_sophos |
endpoint |
Traffic (srcip), Syslog (otherwise) |
Sophos firewall | 5520 | fw_sophos |
firewall |
Data goes to the indicated index based on the log_type:
|
Sophos Web Appliance |
5626 |
sophos_web_app |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Splunk Heavy Forwarder | 5188 | splunk_forwarder |
netmgmt |
Syslog |
Stormshield Net Security Firewall |
5625 |
stormshield_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Symantec Endpoint Protection | 5525 | symantec_ep |
endpoint |
Traffic (dstip), Syslog (otherwise) |
Symantec Firewall | 5155 | symantec |
firewall |
Syslog |
Symantec Messaging Gateway | 5567 | symantec_messaging_gateway |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Symantec (CEF) | 5143 | symantec_dlp |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Synology Directory Server |
5597 |
synology_directory_server |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Thales Group CipherTrust Manager |
5674 |
thales_cipher_trust_manager |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trellix FireEye HX |
5644 |
fireeye_hx |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro - Deep Security Agent (LEEF) | 5522 |
trendmicro_dsa |
endpoint |
Traffic (srcip), Syslog (otherwise) |
Trend Micro Apex Central (CEF) |
5143 |
trendmicro_apex_central |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro (CEF) | 5143 |
trendmicro |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro Interscan Messaging |
5678 |
trend_micro_interscan_messaging |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro Proxy | 5540 | trendmicro_proxy |
websec |
Traffic (dstip), Syslog (otherwise) |
Trend Micro TippingPoint |
5672 |
trend_micro_tippingpoint |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Tripwire Enterprise | 5186 | tripwire |
endpoint |
Syslog |
Ubiquiti | 5552 | ubiquiti |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Unix |
5633 |
unix |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Untangle Firewall (Syslog JSON) |
5142 |
json |
firewall |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Varonis DatAdvantage (CEF) | 5143 | varonis_datadvantage |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Versa Networks Firewall | 5568 | versa_networks_fw |
firewall |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware - Carbon Black (LEEF) | 5522 |
vmware_cb |
endpoint |
Traffic (srcip), Syslog (otherwise) |
VMware ESXi
|
5600 | vmware |
unixlogs |
Syslog |
VMWare Horizon |
5687 |
vmware_horizon |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware NSX-T Data Center | 5574 | vmware_nsx_t |
endpoint (unless log type is dfwpktlogs, then category is firewall) |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware UAG |
5620 |
vmware_uag |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware Vcenter |
5615 |
vmware_vcenter |
itsm |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMWare VeloCloud SD-WAN |
5685 |
vmware_velocloud_sdwan |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
WatchGuard - XTM (LEEF) | 5522 |
watchguard_fw |
firewall |
Traffic (srcip), Syslog (otherwise) |
WatchGuard firewall security appliance | 5557 | watchguard_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Wazuh |
5634 |
wazuh_siem |
endpoint |
Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows DNS Server |
5599 |
windows_dns_server |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows Event NXLog |
5601 |
microsoft_windows |
endpoint |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows System Security |
5610 |
windows_system_security |
endpoint |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Wins IPS ONE-1 / Wins DDX | 5538 | winsips |
idps |
ML IDS/Malware (vendor.attack_name), Syslog (otherwise) |
WINS Sniper NGFW |
5649 |
wins_sniper_ngfw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zix Mail | 5185 | zix_mail |
|
Traffic (srcip), Syslog (otherwise) |
5143 |
zscaler |
websec |
Syslog |
|
Zscaler ZIA Firewall | 5549 | zscaler_zia_fw |
firewall |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZIA Web | 5550 | zscaler_zia_web |
weblogs |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZPA | 5551 | zscaler_zpa |
vpn |
ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zyxel Firewall |
5594 |
zyxel_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |