Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel. Want to learn more about best practices for CEF collection? see here.
The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing.
The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device’s vendor documentation for configuring the device to send events in Syslog or CEF.
Tip: Want to ingest test CEF data? here is how to do that.
For completeness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel’s Windows collection methods.
Vendor | Product | Connector | Information |
Akamai | CEF | Instructions | |
Apache | httpd | Syslog | Using rsyslog or logger as a file forwarder |
Aruba | ClearPass | CEF | |
AWS | CloudWatch | Custom | Using Logstash. See here. |
Barracuda | WAF | API | |
Barracuda | CloudGen Firewall | API | |
Carbon Black | Defense | Syslog | |
Carbon Black | Response | Syslog | |
Checkpoint | CEF | ||
Cisco | ASA | Cisco (CEF) | Notes: – Cisco ASA support uses Sentinel’s CEF pipeline. However, Cisco’s logging is not in CEF format. – Make sure you disable logging timestamp using “no logging timestamp”. See here for more details. |
Cisco | Cloud Security Gateway (CWS) | CEF | Use the Cisco Advanced Web Security Reporting. |
Cisco | Web Security Appliances (WSA) | CEF | Use the Cisco Advanced Web Security Reporting. |
Cisco | Meraki | Syslog | |
Cisco | eStreamer | CEF | Using |
Cisco | Firepower Threat Defense | Syslog | |
Cisco | FireSight | CEF | Using eStreamer eNcore |
Cisco | IronPort Web Security Appliance | Syslog | |
Cisco | Nexus | Syslog | |
Cisco | Umbrella | Custom | See this blog post |
Citrix | Analytics | API | |
Cirtix | NetScaler | Syslog | |
Citrix | NetScaler App FW | CEF | Instructions |
CrowdStrike | Falcon | CEF | Use a SIEM connector installed on premises |
CyberArk | Privileged Access Security | CEF | Note that a change is required in the MMA configuration |
Darktrace | Immune | CEF | See announcement. Contact vendor for instructions. |
Digital Guardian |
| CEF | |
Extrahop | Reveal | CEF | |
F5 | ASM (WAF) | CEF | |
F5 | BigIP | API
| |
Forcepoint | Web Security (WebSense) | CEF | |
Forcepoint | CASB | CEF | |
Forcepoint | DLP | API | |
Forcepoint | NGFW | CEF | |
Fortinet | CEF | ||
Fortinet | SIEM | CEF | |
HP | Printers | Syslog | |
IBM | zSecure | CEF | See What’s new for zSecure V2.3.0 Note that it supports alerts only. |
Imperva | SecureSphere | CEF | |
Infoblox | On-premises appliance | Syslog | Instructions |
Kaspersky | Security Center | Syslog | Instructions |
McAfee | ePO | Syslog | Note: TLS only (requires rsyslog TLS configuration) |
McAfee | Web Gateway | CEF | |
Microsoft | SQL | Windows Event Log | |
Minerva Labs |
| CEF | Please ask the vendor for instructions. |
NetApp | ONTAP | Syslog | Note that those are management activity audit logs and not file usage activity logs. |
Netflow |
| Logstash | Use the Netflow codec plug-in |
Okta |
| Logstash | |
One Identity | Safeguard | CEF | |
Oracle | DB | Syslog | |
Palo Alto | PanOS | CEF | |
Palo Alto | Panorama | CEF | |
Palo Alto | Traps through Cortex | Syslog | Notes: – Require rsyslog configuration to support RFC5424 – TLS only (requires rsyslog TLS configuration) – The certificate has to be signed by a public CA |
Postgress | DB | Syslog, Windows Event log | |
SAP | Hana | Syslog | Instructions (requires a SAP account) |
Snort | Syslog | ||
SonicWall | CEF | Make sure you: – Select ArcSight as the Syslog format. | |
Squadra | secRMM | API | Sentinel built-in connector |
Squid Proxy | Syslog | Configure access logs with either the TCP of UDP modules. Sentinel’s built-in queries use the default log format. | |
Symantec | DLP | Syslog CEF | Instructions. Note that only UDP is supported Instructions. Uses response automation. |
Symantec | ICDX | API | |
Symantec | WSG (Bluecoat) | Syslog | Note that only TCP is supported which requires rsyslog configuration to use TCP. |
Symantec | Endpoint Protection Manager | Syslog | Instructions |
Symantec | Cloud Workload Protection | API | Instructions |
Trend Micro | CEF | ||
Trend Micro | Deep Security | CEF | |
Varonis | DatAlert | CEF | |
Watchgaurd | CEF | Instructions | |
Zimperium | Mobile Threat Defense | API | Sentinel built-in connector |
zScaler | Internet Access (ZIA) | CEF | Sentinel built-in connector |
zScaler | Private Access (ZPA) | Logstash | Use LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel’s native connector. |