Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel. Want to learn more about best practices for CEF collection? see here.
The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing.
The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device’s vendor documentation for configuring the device to send events in Syslog or CEF.
Tip: Want to ingest test CEF data? here is how to do that.
For completeness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel’s Windows collection methods.
Vendor | Product | Connector | Information |
Akamai | CEF | Instructions | |
Apache | httpd | Syslog | Using rsyslog or logger as a file forwarder |
Aruba | ClearPass | CEF | |
AWS | CloudWatch | Custom | Using Logstash. See here. |
Carbon Black | Defense | Syslog | |
Carbon Black | Response | Syslog | |
Checkpoint | CEF | Sentinel Built in CEF connector | |
Cisco | ASA | Cisco (CEF) | Sentinel built-in CEF connector Notes: – Cisco ASA support uses Sentinel’s CEF pipeline. However, Cisco’s logging is not in CEF format. – Make sure you disable logging timestamp using “no logging timestamp”. See here for more details. |
Cisco | Cloud Security Gateway (CWS) | CEF | Use the Cisco Advanced Web Security Reporting. |
Cisco | Web Security Appliances (WSA) | CEF | Use the Cisco Advanced Web Security Reporting. |
Cisco | Meraki | Syslog | |
Cisco | Firepower Threat Defense | Syslog | |
Cisco | FireSight | Syslog | |
Cisco | IronPort Web Security Appliance | Syslog | |
Cisco | Nexus | Syslog | |
Cisco | Umbrella | Custom | See this blog post |
Cirtix | NetScaler | Syslog | |
Citrix | NetScaler App FW | CEF | Instructions |
CrowdStrike | Falcon | CEF | Use a SIEM connector installed on premises |
CyberArk | Privileged Access Security | CEF | Note that a change is required in the MMA configuration |
Darktrace | Immune | CEF | See announcement. |
F5 | WAF | CEF | |
F5 | BigIP | Syslog | Syslog: Instructions, TLS instructions Direct: blog, instructions, How to video |
FireEye | NX | CEF | We could not find the vendors documentation. See 3rd party instructions here. |
Forcepoint | Web Security (WebSense) | CEF | |
Fortinet | Sentinel Built-in CEF connector | ||
Fortinet | SIEM | CEF | |
HP | Printers | Syslog | |
IBM | zSecure | CEF | See What’s new for zSecure V2.3.0 Note that it supports alerts only. |
Imperva | SecureSphere | CEF | |
Infoblox | On-premises appliance | Syslog | Instructions |
Kaspersky | Security Center | Syslog | Instructions |
McAfee | ePO | Syslog | Note: TLS only (requires rsyslog TLS configuration) |
McAfee | Web Gateway | CEF | |
Microsoft | SQL | Windows Event Log | |
NetApp | ONTAP | Syslog | Note that those are management activity audit logs and not file usage activity logs. |
Oracle | DB | Syslog | |
Palo Alto | PanOS | CEF | Sentinel Built-in CEF connector |
Palo Alto | Panorama | CEF | |
Palo Alto | Traps through Cortex | Syslog | Notes: – Require rsyslog configuration to support RFC5424 – TLS only (requires rsyslog TLS configuration) – The certificate has to be signed by a public CA |
Postgress | DB | Syslog, Windows Event log | |
SAP | Haha | Syslog | Instructions (requires a SAP account) |
SonicWall | CEF | Make sure you: – Select ArcSight as the Syslog format. | |
Squid Proxy | Syslog | Configure access logs with either the TCP of UDP modules. Sentinel’s built-in queries use the default log format. | |
Symatec | DLP | Syslog CEF | Instructions. Note that only UDP is supported Instructions. Uses response automation. |
Symantec | WSG (Bluecoat) | Syslog | Note that only TCP is supported which requires rsyslog configuration to use TCP. |
Symantec | Endpoint Protection Manager | Syslog | Instructions |
Symantec | Cloud Workload Protection | API | Instructions |
Trend Micro | CEF | ||
Trend Micro | Deep Security | CEF | |
Varonis | DatAlert | CEF | |
Watchgaurd | CEF | Instructions | |
zScaler | CEF | See zScaler NSS and the ArcSight integration guide. |