Azure Sentinel: Syslog, CEF, Logstash and other 3rd party connectors grand list

This post has been republished via RSS; it originally appeared at: Azure Sentinel articles.

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel. Want to learn more about best practices for CEF collection? see here.

 

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.

 

Tip: Want to ingest test CEF data? here is how to do that.

 

For completeness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel's Windows collection methods.

 

Vendor

Product

Connector

Information

Akamai   CEF Instructions

Apache

httpd

Syslog

Using rsyslog or logger as a file forwarder

Aruba

ClearPass

CEF

Instructions

AWS

CloudWatch

Custom 

Using Logstash. See here.

Barracuda

WAF

API

Sentinel built-in connector

Barracuda

CloudGen Firewall

API

Sentinel built-in connector

Carbon Black

Defense

Syslog

Instructions

Carbon Black

Response

Syslog

Instructions

Checkpoint   CEF

Sentinel Built in connector

Cisco ASA Cisco (CEF)

Sentinel built-in connector

Notes:

- Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format.

- Make sure you disable logging timestamp using "no logging timestamp". See here for more details.

Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco

Meraki

Syslog

Instructions

Event Types and Log Samples

Cisco eStreamer CEF

Using

Cisco Firepower Threat Defense Syslog

Instructions

Cisco FireSight

CEF

Using eStreamer eNcore

Cisco IronPort Web Security Appliance Syslog

Instructions

Cisco Nexus Syslog

Instructions

Cisco Umbrella Custom

See this blog post

Citrix Analytics API

Sentinel built-in connector

Cirtix NetScaler  Syslog

Instructions

Message format

Citrix NetScaler App FW CEF Instructions

CrowdStrike

Falcon

CEF

Use a SIEM connector installed on premises

CyberArk

Privileged Access Security

CEF

Instructions

Message format

Note that a  change is required in the MMA configuration

Darktrace

Immune

CEF

See announcement. Contact vendor for instructions.

Digital Guardian

 

CEF

3rd party instructions

Extrahop

Reveal

CEF

Sentinel built-in connector

F5

ASM (WAF)

CEF

Sentinel built-in connector

F5

BigIP

API

 

Sentinel built-in connector 

Forcepoint

Web Security (WebSense) CEF

Instructions

Detailed reference

Forcepoint

CASB CEF

Sentinel built-in connector

Forcepoint

DLP API

Sentinel built-in connector

Forcepoint

NGFW CEF

Sentinel built-in connector

Fortinet

  CEF

Sentinel built-in connector

Log message reference

CEF mapping and examples

Fortinet

SIEM

CEF

Instructions

HP

Printers

Syslog

Instructions

IBM

zSecure

CEF

See What's new for zSecure V2.3.0

Note that it supports alerts only.

Imperva

SecureSphere

CEF

Instructions

Infoblox On-premises
appliance
Syslog Instructions
Kaspersky Security Center  Syslog Instructions

McAfee

ePO

Syslog

InstructionsKB Article

Note: TLS only (requires rsyslog TLS configuration)

McAfee

Web Gateway

CEF

Instructions

Microsoft

SQL

Windows Event Log

Instructions

Minerva Labs

 

CEF

Please ask the vendor for instructions.

NetApp

ONTAP

Syslog

Instructions

Note that those are management activity audit logs and not file usage activity logs.

Netflow

 

Logstash

Use the Netflow codec plug-in

Okta

 

Logstash

Logstash Plug-in

One Identity

Safeguard

CEF

Sentinel built-in connector

Oracle

DB

Syslog

Instructions

Palo Alto

PanOS

CEF

Sentinel built-in connector

Palo Alto

Panorama

CEF

Instructions

Palo Alto

Traps through Cortex

Syslog

Instructions

Notes:

- Require rsyslog configuration to support RFC5424

- TLS only (requires rsyslog TLS configuration)

- The certificate has to be signed by a public CA

Postgress DB Syslog, Windows Event log

Instructions

SAP Hana Syslog

Instructions (requires a SAP account)

Snort   Syslog

Instructions

SonicWall   CEF

Instructions

Make sure you:
- Select local use 4 as the facility.

- Select ArcSight as the Syslog format.

Squadra  secRMM API Sentinel built-in connector
Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel's built-in queries use the default log format.

Symantec

DLP

Syslog

CEF

Instructions. Note that only UDP is supported

Instructions. Uses response automation.

Symantec

ICDX

API

Sentinel built-in connector

Symantec

WSG (Bluecoat)

Syslog

Instructions

Note that only TCP is supported which requires rsyslog configuration to use TCP.

Symantec   Endpoint Protection Manager Syslog Instructions  
Symantec Cloud Workload Protection API Instructions
Trend Micro  

CEF

Using Control Manager

Using LogForwarder

Trend Micro Deep Security

CEF

Sentinel built-in connector

Varonis

DatAlert

CEF

Instructions

Watchgaurd   CEF Instructions
Zimperium  
Mobile Threat Defense API Sentinel built-in connector 
zScaler Internet Access (ZIA) CEF Sentinel built-in connector
zScaler Private Access (ZPA) Logstash Use LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel's native connector. 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.