Log Parser Ports
To receive and parse logs from devices on your network, Stellar Cyber modular sensors require open inbound ports. These ports are already open on modular sensors by default. If there are any firewalls in the data path between the log sources and a modular sensor, you must also open the appropriate ports on the firewalls. This topic lists the supported log parsers and related details, including the port each parser uses. Log parsers are organized in the following categories:
Also see: Firewall Requirements
Unless otherwise noted, the ports listed are applicable for both UDP and TCP.
During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.
Choosing an Ingestion Port
Modular sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases, Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process vendor-specific logs in a more detailed manner. Identifying a more specific port for a log type than port 514 provides the following benefits:
-
It speeds up data ingestion and log parsing and increases sensor performance because the sensor already knows the source device.
-
It retains the correct log source when the sensor forwards normalized logs as Interflow records to the Stellar Cyber Open XDR platform.
Use the following as a guide:
-
If the logs are in standard Common Event Format (CEF), Log Event Extended Format (LEEF), or JavaScript Object Notation (JSON) format, forward to the data to the port specific to that standard as listed in Generic Log Parsers.
-
If the logs are in standard Syslog format use the port applicable for that vendor.
-
If the logs are in a specialized format such as a Syslog and use regular expressions, key-value pairs, or comma-separated values (csv), use the Vendor-specific ports.
Using the Port Relay Feature to Minimize Open Ports
It's a best practice in Stellar Cyber to send logs to their vendor-specific parsers, when available. In releases previous to 4.3.5, this was accomplished by referring to the list of supported vendor-specific ports, pointing your log sources to that port on the sensor IP address, and opening the port in your firewall.
This approach is still available and can be used. As an alternative, however, you can configure your sensors to accept log traffic on the generic syslog ports of 514 (non-TLS) or 6514 (TLS) and relay that traffic to vendor-specific ports internally based on the source traffic's IP address.
You do this differently depending on the release your sensors are running:
-
For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.
-
For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.
Configuring Port Relay in the CLI ()
You configure the port relay feature for sensors running
-
Find the IP address of your log source.
-
Use the Log Parser Portstopic to find the parser port for your log source.
-
Connect to the sensor CLI.
-
Use the set logforwarder device-ip command to make an entry on the sensor for your log source and the corresponding destination port. The syntax is as follows:
set logforwarder device-ip <IP Address> parser-port <Integer> ingestion-port <514|6514 default=514>
So, for example, if you are sending Azure MFA logs from 10.33.5.5 to the sensor, you could either send them directly to port 5528 as you did in previous releases, or you could send them to the standard syslog port of 514 and use the following command on the sensor to relay them internally to 5528:
set logforwarder device-ip 10.33.5.5 parser-port 5528
This command tells the sensor to relay logs received on port 514 (the default, which is why it is not explicitly specified in the command above) from 10.33.5.5 to the vendor-specific parser port of 5528 for Azure MFA.
You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the following command to relay them from 6514 to their vendor-specific parser port of 5544:
set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514
Notes on Using the Port Relay Feature
Keep in mind the following tips when using the port relay feature:
-
Keep in mind that the sending log source must be on the same subnet as the receiving sensor. There must be no proxy capable of changing the log source IP between the sending log source and the receiving sensor.
-
When you create a port relay entry, the sensor listens for both UDP and TCP traffic from the specified source. You can see this with the show logforwarder port-ingestion command. For example:
-
The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries. You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.
-
You can remove port relay entries using unset logforwarder device-ip <IP Address>.
-
The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it in the show logforwarder port-ingestion output as inactive.
Generic Log Parsers
This table includes all supported generic log parser formats, the required firewall port, device type, and the associated Stellar Cyber index.
Use the msg_origin.source
field in the Interflow to find the logs when threat hunting in the specified index.
In the Interflow, there are also fields for msg_origin.processor.type
, which is always log_forwarder for log parsers, and msg_origin.processor.name
, which stores specific components of the parser, such as the parser type (cef, leef).
When the Stellar Cyber Platform processes logs, it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.
Following are the firewall ports to open for generic log formats, along with other useful details.
Standard |
Port |
msg_origin.source | Index | Comments |
---|---|---|---|---|
CEF | 5143 | cef_device_vendor |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) The following vendor records are also indexed in IDPS/Malware Sandbox Events, with the threat field being normalized from logs as indicated below:
|
Stellar Cyber recommends you use CEF, if available. |
CEF2 | 5175 | cef_device_vendor | Traffic (srcip), Syslog (otherwise) | - |
Generic capture | 5201 | generic_capture | Syslog | - |
Generic syslog | 514 | - | - | Use only if you must use a log forwarder. |
HTTP JSON | 5200 (tcp) | httpjson | Syslog | When you configure your log forwarding for the HTTP JSON parser on this port, you must append /httpjson at the end of the URL of the target sensor. Example: http://<sensor-ip>:5200/httpjson |
JSON stream | 5142 | json | Syslog | |
JSON beats | 5044 | beats | Syslog | - |
LEEF | 5522 | vendor | Traffic (srcip), Syslog (otherwise) | Stellar Cyber recommends you use LEEF, if available. It's primarily useful for logs from IBM QRadar, for which LEEF was developed. |
Linux Syslog |
5555 |
linux_syslogs |
Syslog |
|
RFC 3164 |
5140 | syslog | Syslog | - |
RFC 5424 |
5141 |
syslog | Syslog | - |
RFC 5424 Enhanced |
5589 |
syslog_rfc5424 | Syslog |
|
Vendor-specific Log Parsers
This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.
The msg_origin.source
column specifies the vendor's product. Use the field in the Interflow to find the logs when threat hunting in the specified index. The msg_origin.category
column specifies the overall category.
In the Interflow, there are also fields for msg_origin.processor.type
, which is always log_forwarder for log parsers, and msg_origin.processor.name
, which stores specific components of the parser, such as the parser name.
The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the IDPS/Malware Sandbox Events index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type
field in the Interflow to find the logs when threat hunting in the specified index.
Device |
Port |
msg_origin.source |
msg_origin.category |
Index |
---|---|---|---|---|
(OpnSense) Zenarmor plugin logs |
5604 |
sunny_valley_networks_zenarmor |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AAA - Core (CEF) |
5143 |
netiq_advance_auth |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Accops | 5526 | accops |
vpn |
Traffic (srcip), Syslog (otherwise) |
AhnLab AIPS |
5647 |
ahnlab_aips |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab EMS |
5657 |
ahnlab_ems |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab EPP |
5640 |
ahnlab_epp |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab Policy Center | 5571 | ahnlab_policy_center |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab TrusGuard | 5558 | ahnlab_trusguard |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AirGap Ransomware Kill Switch |
5602 |
airgap_ransomware_kill_switch |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AIX | 5523 | aix |
unixlogs |
Traffic (event_time: time format of hour:minute:second), Syslog (otherwise) |
Alcatel Lucent Switch |
5677 |
alcatel_lucent_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aliyun / AliCloud | 5545 | aliyun |
paas |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Android |
5605 |
android |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Apache HTTP Server (httpd) |
5663 |
apache_httpd |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Appgate VPN |
5743 |
appgate_vpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AQTRONiX WebKnight |
5658 |
aqtronix_webknight |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aqua Cloud Native Application Protection Platform (CNAPP 2022.4) |
5656 |
aquasecurity_cnapp |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Arbor Peakflow SP |
5598 |
arbor_peakflow_sp |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Arista Networks Data Center Switch Router |
5747 |
arista_data_center_switch_router |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks APV Series Load Balancing & App Delivery |
5680 |
array_networks_apv |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks ASF 1800 |
5675 |
array_networks_asf_1800 |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks Secure Access Gateway | 5537 | array_sag |
vpn |
Traffic (srcip), Syslog (otherwise) |
Aruba ClearPass Policy Manager (CEF) | 5143 | aruba_clear_pass |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Aruba Switch | 5577 | aruba_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Automox | 5183 | automox |
patch |
Syslog |
Avanan |
5681 |
avanan |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Avanan (HTTP JSON) |
5200 (tcp only) |
avanan |
|
Syslog |
Avaya Switch |
5607 |
avaya_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
AWS WAF (HTTP JSON) |
5200 (tcp only) |
aws_waf |
waf |
Syslog |
AXGATE Next Generation Firewall |
5703 |
axgate_ngfw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Azure ATP (CEF) | 5143 | azure_atp |
iam |
Traffic (srcip, srcport, dstip, dstports, and proto), Syslog (otherwise) |
Azure MFA | 5528 | azure_mfa |
iam |
Traffic (srcip), Syslog (otherwise) |
Barracuda email | 5559 | barracuda_email |
|
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Barracuda firewall | 5524 | barracuda_fw |
firewall |
IDPS/Malware Sandbox Events (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
Barracuda WAF | 5524 | barracuda_waf |
waf |
IDPS/Malware Sandbox Events (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
BeyondTrust BeyondInsight |
5621 |
beyondtrust_beyondinsight |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
BeyondTrust PasswordSafe |
5692 |
beyondtrust_passwordsafe |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Bitdefender (HTTP JSON) (Syslog JSON) |
5200 (tcp only) 5142 |
bitdefender |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
BlackBerry CylancePROTECT & CylanceOPTICS | 5177 |
cylance |
endpoint |
Traffic (srcip), Syslog (otherwise) |
BlueCoatProxySG | 5576 | bluecoat_proxysg |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Brocade switch (system & admin logs) | 5548 | brocade_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Calyptix UTM | 5161 | calyptix |
firewall |
IDPS/Malware Sandbox Events (ids.signature), Traffic (srcip), Syslog (otherwise) |
Centos Audit |
5673 |
centos_audit |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Centrify | 5165 | centrify |
iam |
Syslog |
Cerberus FTP Logs |
5635 |
cerverus_ftp |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Check Point - Application Control (CEF) |
5143 |
fw_checkpoint |
firewall |
IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise) |
Check Point - URL Filtering (CEF) |
5143 |
fw_checkpoint |
firewall |
IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CheckPoint appliance | 5174 | fw_checkpoint_appliance |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CheckPoint firewall | 5519 | fw_checkpoint |
firewall |
Traffic (srcip), Syslog (otherwise) |
5618 |
checkpoint_harmony_ep |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
|
CheckPoint SmartCenter |
5741 |
checkpoint_smartcenter |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
5143 |
fw_checkpoint |
firewall |
IDPS/Malware Sandbox Events (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) | |
Cisco ACI |
5717 |
cisco_aci |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Cisco ASA | 5518 | fw_cisco_asa |
firewall |
Traffic (srcip), Syslog (otherwise) |
Cisco Catalyst Firewall |
5702 |
cisco_catalyst_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Cisco Catalyst SD-WAN |
5746 |
cisco_sd_wan |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco CUCM | 5532 | cisco_cucm |
voip |
Syslog |
Cisco ESA | 5562 | cisco_esa |
|
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco ESA | 5164 (deprecated) | openldap_style |
|
Syslog |
Cisco Firepower | 5168 | ips_fire_power |
firewall |
Traffic (srcip), Syslog (otherwise) |
Cisco IKE | 5176 | ciscovpn |
vpn |
Syslog |
Cisco IronPort | 5163 | cisco_ironport |
|
Syslog |
Cisco ISE | 5157 | ciscoise |
asset |
Syslog |
Cisco MDS | 5563 | cisco_mds |
netlogs |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Meraki | 5172 | meraki |
firewall |
Traffic (srcip), Syslog (otherwise) IDPS/Malware Sandbox Events (threat), (device_event_category,msg,signature,event_severity), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Netflow | 2055 (udp only) | netflow |
traffic |
Traffic |
Cisco routers and switches | 5158 | cisco_router_switch |
netlogs |
Syslog |
Cisco Secure Network Analytics (Stealthwatch) |
5719 |
cisco_secure_network_analytics |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Cisco UCS | 5579 | cisco_ucs |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Umbrella | 5521 | cisco_umbrella |
dnssec |
Syslog |
Cisco VPN | 5156 | ciscovpn |
vpn |
Syslog |
Cisco WLC | 5531 | cisco_wlc |
wireless |
Syslog |
Citrix Access Gateway |
5688 |
citrix_access_gateway |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Citrix NetScaler | 5166 | netscaler |
netmgmt |
Syslog |
Citrix NetScaler (CEF) |
5143 |
netscaler |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Citrix XenServer |
5732 |
citrix_xenserver |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Commvault Metallic ThreatWise |
5736 |
commvault_metallic_threatwise |
mdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Comodo- CIS CCS (CEF) |
5143 |
comodo |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ConnectWise ScreenConnect |
5744 |
connectwise_screenconnect |
remote_access |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CoreLight Sensor |
5575 | corelight_sensor |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CoSoSys Endpoint Protection |
5654 |
cososys |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cribl default (Syslog JSON) |
5142 |
json |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cribl / NXLog (Syslog JSON) |
5142 |
microsoft |
endpoint |
Windows Events |
CrowdStrike (beats) | 5044 |
crowdstrike |
endpoint |
Syslog |
CrowdStrike (CEF) | 5143 |
crowd_strike_falcon_host |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CyberArk PTA (CEF) |
5143 |
cyberark |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cygna Labs Cygna Auditor |
5718 |
cygna_labs_cygna_auditor |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Cynerio |
5727 |
cynerio |
iot |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cynet (CEF) |
5143 |
cynet |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
D-Link | 5189 | dlink |
wireless |
Traffic (srcip), Syslog (otherwise) |
DBSafer | 5181 | dbsafer |
dlp |
Syslog |
Deep Instinct |
5628 |
deep_instinct |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell EMC Powerstore |
5683 |
dell_powerstore |
storage |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell iDRAC | 5566 | dell_idrac |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell Switch | 5578 | dell_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
DHCP (beats) |
5044 |
dhcp |
netmgmt |
Traffic (srcmac), Syslog (otherwise) |
DHCPD (ISC DHCP) | 5554 | dhcpd |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
DNSVault RPZdb |
5639 |
dnsvault_rpzdb |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dragos (CEF) | 5539 | dragos |
otsec |
Traffic (srcip), Syslog (otherwise) |
DrayTek Firewall |
5593 |
draytek_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ECS Suricata (HTTP JSON) |
5200 (tcp only) |
suricata |
ndr |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ECS Windows (HTTP JSON) |
5200 (tcp only) |
microsoft_windows |
endpoint |
Windows Events (winlogevent) |
eDictionary - eDictionary (CEF) |
5143 |
edictionary |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Egnyte (Syslog JSON) (HTTP JSON) |
5142 5200 (tcp only) |
egnyte |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Epay (collected by Logstash) |
5728 |
epay |
finance |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ericom ZTEdge |
5603 |
ericom_ztedge |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ESET PROTECT |
5655 |
eset_protect |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Exium SASE (HTTP JSON) |
5200 (tcp only) |
exium_sase |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ExtraHop (CEF) | 5143 |
extrahop |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Extreme AirDefense |
5612 |
extreme_airdefense |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Extreme Controller |
5666 |
extreme_controller |
wireless |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ExtremeCloud IQ Site Engine |
5614 |
extreme_site_engine |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Extreme Networks X690 |
5699 |
extreme_x690 |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
F5 - ASM (CEF) |
5143 |
f5 |
waf |
IDPS/Malware Sandbox Events (threat, normalized from attack_type), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP | 5162 | f5_big_ip |
firewall |
IDPS/Malware Sandbox Events (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP Telemetry (HTTP JSON) | 5200 (tcp only) | f5_big_ip |
firewall |
Syslog |
F5 IPI | 5536 | f5_threat_intelligence |
firewall |
IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 iRule | 5536 | f5_irule | firewall | IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 L7 DDOS | 5536 | f5_l7ddos | firewall | IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 Mitigation | 5536 | f5_ddos | firewall | IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 NGINX | 5151 | nginx |
weblogs |
Syslog |
F5 Silverline | 5536 | f5_silverline |
firewall |
IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
F5 VPN | 5187 | f5_vpn |
vpn |
Syslog |
F5 WAF | 5536 | f5_waf |
waf |
IDPS/Malware Sandbox Events (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
FatPipe Networks SD-WAN |
5583 |
fatpipe_sd_wan |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint |
5143 |
forcepoint_dlp |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint - Firewall (CEF) |
5143 |
forcepoint_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint -DLP (CEF) |
5143 |
forcepoint |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint -Firewall (CEF) |
5143 |
forcepoint |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Forcepoint Web Security (CEF) | 5143 |
forcepoint |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ForeScout | 5154 | forescout |
asset |
Syslog |
FortiADC |
5725 |
fortinet_fortiadc |
netlogs |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiAnalyzer | 5542 | forti_analyzer |
ndr |
IDPS/Malware Sandbox Events (vendor.attack_name), Traffic (dstip), Syslog (otherwise) |
Fortinet FortiAuthenticator |
5671 |
fortinet_fortiauthenticator |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiEDR |
5661 |
fortinet_fortiedr |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet Forticloud FortiClient EMS Cloud Endpoint Management Services |
5682 |
fortinet_forticlient_ems |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiGate | 5517 | fw_fortigate |
firewall |
Traffic (action), Syslog (otherwise) |
Fortinet Fortigate (CEF) |
5143 |
fw_fortigate |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiMail |
5616 |
forti_mail |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiSandbox |
5648 |
fortinet_fortisandbox |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Fortinet FortiWeb |
5642 |
fortinet_fortiweb |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
FutureSystems WeGuardia SSL plus (SSL VPN) |
5651 |
future_systems_weguardia_ssl_plus |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Gatewatcher NDR |
5684 |
gatewatcher_ndr |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Graylog format |
5569 |
graylog |
endpoint |
Windows Events (winlogevent), IDPS/Malware Sandbox (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Guardicore (CEF) |
5143 |
guardicore |
cloudsec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
HanDreamnet VIPM |
5676 |
handreamnet_vipm |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
HAProxy |
5713 |
haproxy |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Hewlett Packard UNIX |
5585 |
hp-ux |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Hillstone | 5514 | fw_hillstone |
firewall |
IDPS/Malware Sandbox Events log_type: threat), Traffic (log_type: traffic), |
HPE Nimble Storage |
5731 |
hpe_nimble |
storage |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
HPE Switch |
5595 |
hpe_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
IBM AS400 |
5632 |
ibm_i |
ibm_os_logs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Impero ContentKeeper |
5670 |
impero_contentkeeper |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Incapsula SIEM Integration (CEF) |
5143 |
incapsula |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Imperva - SecureSphere (CEF) |
5143 |
imperva_secure_sphere |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Indusface Web Application Firewall |
5582 |
indusface_waf |
waf |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infoblox Data Connector (CEF) |
5143 |
infoblox |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infoblox Network Identity OS (NIOS) |
5587 |
infoblox_nios |
dnssec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Infocyte HUNT (CEF) |
5143 |
infocyte |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
IPFIX |
4739 (udp only) |
ipfix |
traffic |
Traffic |
IronScales (CEF) |
5143 |
ironscales_irontraps |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ivanti Pulse Secure |
5712 |
ivanti_pulse_secure |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Jsonar Database Security Tool |
5586 |
jsonar_db_security_tool |
dblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Juniper SRX | 5173 | fw_juniper_srx |
firewall |
Traffic (srcip), Syslog (otherwise) |
Juniper SSG | 5516 | fw_juniper_ssg |
firewall |
Traffic (srcip), Syslog (otherwise) |
Juniper Switch |
5591 |
juniper_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
KasperskyLab (CEF) |
5143 |
kasperskylab |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Kaspersky Security Center |
5723 |
kaspersky_security_center |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
KeeperSecurity Enterprise |
5710 |
keeper_security_enterprise |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Kemp Technologies Load Master LB |
5695 |
kemp_technologies_load_master_lb |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Keycloak |
5653 |
keycloak |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Kubernetes (HTTP JSON) |
5200 (tcp only) |
kubernetes |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Lancope - StealthWatch (LEEF) |
5522 |
lancope_stealthwatch |
firewall |
Traffic (srcip), Syslog (otherwise) |
LanScope Cat |
5588 |
lanscope_cat |
endpoint |
Syslog |
Lepide |
5607 |
lepide |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Libraesva Email Security Gateway (ESG) |
5742 |
libraesva_esg |
|
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise |
Linux Audit |
5697 |
linux_audit |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Linux Syslog | 5555 | linux_syslog |
unixlogs |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Logstash Suricata |
5629 |
logstash_suricata |
ndr |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Mailboarder Agent |
5580 |
mailboarder_agent |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Mako Networks firewall | 5547 | mako_fw |
firewall |
Traffic (dstip), Syslog (otherwise) |
ManageEngine ADAudit Plus |
5679 |
manageengine_adaudit_plus |
iam |
Windows Events |
ManageEngine ADAuditPlus (CEF) | 5143 | manageengine |
iam |
Windows Events |
McAfee (CEF) |
5143 |
If Web Gateway is in the product name, dev_type is set to: mcafee_web_gateway Otherwise the value is determined from the CEF vendor field |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
McAfee Advanced Threat Defense |
5584 |
mcafee_atd |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
McAfee ePolicy Orchestrator | 5533 | mcafee_epo |
endpoint |
Traffic (srcip), Syslog (otherwise) |
McAfee Firewall | 5169 | mcafee_firewall |
firewall |
Traffic (srcip), Syslog (otherwise) |
McAfee Network Security | 5527 | mcafee_ns |
ipds |
Traffic (srcip), Syslog (otherwise) |
McAfee Proxy |
5739 |
mcafee_proxy |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MCAS SIEM Agent (CEF) |
5143 |
mcas |
firewall |
Windows Events |
Medigate |
5631 |
medigate |
iotsec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Melapress WordPress |
5714 |
melapress_wordpress |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Menlo Security MS-XL50M |
5630 |
menlo |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Microsoft IIS |
5636 |
microsoft_iis |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Microsoft IIS (Syslog JSON) | 5142 | json |
weblogs |
Syslog |
Microsoft Office 365 |
5627 |
office365 |
office_suite |
Windows Events |
Microsoft Windows Event |
5646 |
microsoft_windows_event |
endpoint |
Windows Events (winlogevent), Syslog (otherwise) |
Microsoft Windows via Graylog |
5569 |
microsoft_windows |
endpoint |
Windows Events (winlogevent) |
MicroWorld eScan |
5645 |
microworld_escan |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MikroTik firewall and router | 5553 | mikrotik |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MONITORAPP AI WAF 4.1 |
5613 |
monitorapp_ai_waf |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MONITORAPP WAF 1.0 | 5535 | monitor_app |
websec |
Traffic (srcip), Syslog (otherwise) |
Nasuni |
5592 |
nasuni |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetApp |
5608 |
netapp |
dblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Netfilter | 5544 | netfilter |
netlogs |
Traffic (dstip), Syslog (otherwise) |
NetIQ - Identity Manager (CEF) |
5143 |
netiq_identity_manager |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetIQ Access Manager | 5167 | access_manager |
iam |
Syslog |
NetIQ SSO | 5171 | netiqsso |
iam |
Syslog |
Netman Smart NAC |
5650 |
netman_smart_nac |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NetMotion |
5641 |
absolute_netmotion |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Nutanix NX |
5724 |
nutanix_nx |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NVIDIA Mellanox Switch |
5734 |
nvidia_mellanox_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
NXLog (Also see Crib, above) |
5601 |
nxlog |
paas |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OneLogin |
5581 |
one_login |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Open LDAP (for Cisco ESA, use 5562) |
5164 | openldap_style |
|
Syslog |
OpenCanary |
5638 |
opencanary |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OpenShift | 5573 | redhat_openshift |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OpenVPN |
5643 |
openvpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
OPNsense |
5660 |
opnsense |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Oracle DB | 5170 | oracle |
dblogs |
Traffic (srcip), Syslog (otherwise) |
Oracle Solaris |
5664 |
oracle_solaris |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Ordr Connected Device Security |
5622 |
ordr_cds |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
PacketFence |
5686 |
packetfence |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Palo Alto Networks Next Generation Firewall (LEEF) | 5522 |
fw_palo_alto |
firewall |
Traffic (srcip), Syslog (otherwise) |
Palo Alto Networks - Traps Agent (CEF) |
5143 |
palo_alto_networks_traps_agent |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Palo Alto Networks Next-Generation Firewall and Panorama (BSD syslog and CSV) |
5515 | fw_palo_alto |
firewall |
Traffic (type: traffic), IDPS/Malware Sandbox Events (type: threat), Syslog (otherwise) |
Palo Alto Networks Firewall via Graylog |
5569 |
fw_palo_alto |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Palo Alto Networks Prisma Cloud (Compute Edition) |
5720 |
palo_alto_networks_prisma_cloud |
cloudsec |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Penta Security WAPPLES WAF | 5560 | penta_security_wapples |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Pentera Appliance |
5737 |
pentera_appliance |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Peplink XDR |
5665 |
peplink_xdr |
xdr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Perception Point X-Ray |
5667 |
perceptionpoint_xray |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
pfSense Firewall | 5543 | pfsense_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog |
PIOLINK WEBFRONT-K |
5617 |
piolink_webfront_k |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
PNPSECURE NODESAFER
|
5711 |
pnpsecure_nodesafer |
dblogs |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
PrintChaser | 5179 | printchaser |
dlp |
Syslog |
Privacy-i | 5178 | privacy |
dlp |
Syslog |
Proofpoint |
5596 |
proofpoint |
|
Syslog |
Prophaze WAF |
5733 |
prophaze_waf |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Pulse Secure | 5534 | pulse_secure |
vpn |
Syslog |
QNAP QTS |
5726 |
qnap_qts |
storage |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Qumulo Core |
5704 |
qumulo_core |
storage |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Radware Alteon |
5700 |
radware_alteon |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Radware DefensePro |
5619 |
radware_defense_pro |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Rapid7 | 5153 | rapid7 |
security_scan |
Syslog |
RazLeeSecurity - Audit (CEF) |
5143 |
ibm_raz_lee_security |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Relianoid WAF |
5730 |
relianoid_waf |
waf |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
RSA Authentication Manager | 5184 | rsa_auth |
nsa |
Syslog |
Ruckus ZoneDirector |
5662 |
ruckus_zone_director |
wireless |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
RuiJie Switch |
5689 |
ruijie_switch |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SafePC | 5180 | safepc |
cloudsec |
Syslog |
Sangfor EDR |
5701 |
sangfor_edr |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Sangfor NGAF |
5637 |
sangfor_ngaf |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sectona PAM |
5721 |
sectona_pam |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
SECUI Firewall | 5561 | secui_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI MF2 Firewall | 5570 | secui_mf2 |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI MFD | 5611 | secui_mfd |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Secureki APPM |
5693 |
secureki_appm |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Security Strategy Research (SSR) Metieye |
5572 | ssr_metieye |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Secuway SSLVPN |
5652 |
secuwiz_secuway_sslvpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne (CEF2) |
5175 | cef_device_vendor |
endpoint |
Traffic (srcip), Syslog (otherwise) |
SentinelOne Mgmt (CEF) |
5143 |
sentinelone_endpoint |
endpoint |
IDPS/Malware Sandbox Events (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne Security Center (CEF) |
5143 |
sentinelone_endpoint |
endpoint |
IDPS/Malware Sandbox Events (threat, normalized from classification), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SentinelOne Singularity Mobile |
5623 |
sentineone_sm |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ServiceNow Now Platform |
5668 |
servicenow_nowplatform |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ShareTech Firewall |
5609 |
sharetech_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Snare Agent |
5590 |
snare_agent |
paas |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sniper IPS | 5182 | sniperips |
idps |
Traffic (srcip), Syslog (otherwise) |
SonicWall - NSA 2400 (CEF) |
5143 |
sonicwall_nsa |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SonicWall Firewall | 5152 | sonicfw |
firewall |
IDPS/Malware Sandbox Events (IDS signature), Traffic (srcip), Syslog (otherwise) |
SonicWall VPN | 5556 | sonicwall_vpn |
vpn |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos (CEF) |
5143 |
sophos |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos (JSON) | 5530 | sophos |
endpoint |
Traffic (endpoint_type: traffic), IDPS/Malware Sandbox Events (endpoint_type: threat), Syslog (endpoint_type: computer) |
Sophos endpoint | 5565 |
endpoint_sophos |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos endpoint (beats) | 5044 | endpoint_sophos |
endpoint |
Traffic (srcip), Syslog (otherwise) |
Sophos firewall | 5520 | fw_sophos |
firewall |
Data goes to the indicated index based on the log_type:
|
Sophos Web Appliance |
5626 |
sophos_web_app |
websec |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Splashtop |
5698 |
splashtop |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
Splunk Heavy Forwarder | 5188 | splunk_forwarder |
netmgmt |
Syslog |
Stormshield Net Security Firewall |
5625 |
stormshield_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Symantec Endpoint Protection | 5525 | symantec_ep |
endpoint |
Traffic (dstip), Syslog (otherwise) |
Symantec Firewall | 5155 | symantec |
firewall |
Syslog |
Symantec Messaging Gateway | 5567 | symantec_messaging_gateway |
|
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Symantec DLP (CEF) | 5143 | symantec |
symantec_dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Synology Directory Server |
5597 |
synology_directory_server |
asset |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Syslog4Net |
5715 |
syslog4net |
log_processing |
Windows Events (winlogevent), Syslog (otherwise) |
Thales Group CipherTrust Manager |
5674 |
thales_cipher_trust_manager |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ThreatLocker Zero Trust EPP |
5200 (tcp only) |
threat_locker_zero_trust_epp |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trellix FireEye HX |
5644 |
fireeye_hx |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro - Deep Security Agent (LEEF) | 5522 |
trendmicro_dsa |
endpoint |
Traffic (srcip), Syslog (otherwise) |
Trend Micro Apex Central (CEF) |
5143 |
trendmicro_apex_central |
endpoint |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro Interscan Messaging |
5678 |
trend_micro_interscan_messaging |
saas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Trend Micro Proxy | 5540 | trendmicro_proxy |
websec |
Traffic (dstip), Syslog (otherwise) |
Trend Micro TippingPoint |
5672 |
trend_micro_tippingpoint |
idps |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Tripwire Enterprise | 5186 | tripwire |
endpoint |
Syslog |
Ubiquiti UAP-AC-Pro | 5552 | ubiquiti |
netlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
UMV WSS (Web Server Safeguard) |
5709 |
umv_wss |
ndr |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Unix |
5633 |
unix |
unixlogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Untangle Firewall (Syslog JSON) |
5142 |
json |
firewall |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Varonis DatAdvantage (CEF) | 5143 | varonis_datadvantage |
dlp |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Vectra AI Platform |
5738 |
vectra_ai_platform |
xdr |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Versa Networks Firewall | 5568 | versa_networks_fw |
firewall |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware - Carbon Black (LEEF) | 5522 |
vmware_cb |
endpoint |
Traffic (srcip), Syslog (otherwise) |
VMware ESXi
|
5600 | vmware |
unixlogs |
Syslog |
VMWare Horizon |
5687 |
vmware_horizon |
paas |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware NSX-T Data Center | 5574 | vmware_nsx_t |
endpoint (unless log type is dfwpktlogs, then category is firewall) |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware UAG |
5620 |
vmware_uag |
iam |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware Vcenter |
5615 |
vmware_vcenter |
itsm |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMWare VeloCloud SD-WAN |
5685 |
vmware_velocloud_sdwan |
netmgmt |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
WatchGuard - XTM (LEEF) | 5522 |
watchguard_fw |
firewall |
Traffic (srcip), Syslog (otherwise) |
WatchGuard firewall security appliance | 5557 | watchguard_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Wazuh |
5634 |
wazuh_siem |
endpoint |
Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows DNS Server |
5599 |
windows_dns_server |
weblogs |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows Event NXLog |
5601 |
microsoft_windows |
endpoint |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Windows System Security |
5610 |
windows_system_security |
endpoint |
Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Wins IPS ONE-1 / Wins DDX | 5538 | winsips |
idps |
IDPS/Malware Sandbox Events (vendor.attack_name), Syslog (otherwise) |
WINS Sniper NGFW |
5649 |
wins_sniper_ngfw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zeek (NXLog method) |
5142 |
json |
json |
Syslog |
Zix Mail | 5185 | zix_mail |
|
Traffic (srcip), Syslog (otherwise) |
5143 |
zscaler |
websec |
Syslog |
|
Zscaler ZIA Firewall | 5549 | zscaler_zia_fw |
firewall |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZIA Web | 5550 | zscaler_zia_web |
weblogs |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZPA | 5551 | zscaler_zpa |
vpn |
IDPS/Malware Sandbox Events (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zyxel Firewall |
5594 |
zyxel_fw |
firewall |
Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Parsers that Support Line Breaks in Messages Delivered over TCP
Most syslogs that are sent over TCP use ASCII LF (represented as \n) as a TRAILER character to terminate individual messages within the larger transmission. (This is the non-transparent-framing method described in section 3.4.2 in RFC 6587 - Transmission of Syslog Messages over TCP.) Unfortunately, if a log uses LF (\n
) as a line break within a message, parsers recognize it as a TRAILER character and split it into multiple parts, depending on the number of line breaks involved. This results in the erroneous creation of multiple “messages” that are really just parts of one single message.
There are exceptions however. The following parsers can receive logs delivered over TCP with LF (\n
) line breaks because these logs include fixed HEADER and TRAILER characters, which the parsers use to isolate messages:
-
Aliyun/AliCloud on port 5545
-
Avanan on port 5681
-
BeyondTrust BeyondInsight on port 5621
-
CheckPoint Firewall on port 5519
-
FortiADC on port 5725
-
Indusface Web Application Firewall on port 5582
-
Monitorapp on port 5535
-
Splunk Heavy Forwarder on port 5188
-
Windows System Security on port 5610
-
The following HTTP JSON parsers that listen on TCP 5200 also support LF line breaks within syslog messages.
When only one product is sending logs to TCP 5200 on a sensor, the URL doesn’t need to include the product name to identify it. However, when there is more than one and you want to differentiate them, include the product name. Example for Avanan:
https://<sensor_ip_addr>:5200/httpjson
orhttps://<sensor_ip_addr>:5200/httpjson_avanan
-
Avanan –
httpjson
orhttpjson_avanan
-
AWS WAF –
httpjson
orhttpjson_awf_waf
-
Bitdefender –
httpjson
orhttpjson_bitdefender_multiple_event
-
ECS Suricata –
httpjson
orhttpjson_ecs
orhttpjson_ecs_suricata
-
ECS Windows –
httpjson
orhttpjson_ecs
orhttpjson_ecs_windows
-
Egnyte –
httpjson
orhttpjson_egnyte
-
Exium SASE –
httpjson
orhttpjson_exium_sase
-
FS BIG-IP Telemetry –
httpjson
orhttpjson_fs_telemetry_streaming
-
Kubernetes –
httpjson
orhttpjson_kubernetes
-
ThreatLocker Zero Trust EPP –
httpjson
orhttpjson_threat_locker_zero_trust_epp
-
In addition to the non-transparent-framing method to separate log messages, section 3.4.1 in RFC 6587 - Transmission of Syslog Messages over TCP describes another method: octet counting. The Fortinet FortiGate parser supports this as well as non-transparent-framing, checking the first character in a frame to determine which method is being used. If a log sent to the Fortinet FortiGate parser on TCP port 5517 contains an LF (\n
) line break, then the octet counting method must be used. Otherwise, either method works.
In summary, only the parsers listed above can process logs that include \n
and are sent over TCP. All parsers support logs sent over UDP because a UDP datagram contains just one syslog message inside; therefore, parsers don’t need to separate multiple syslog messages from a single transmission.