Azure Sentinel: Syslog, CEF, Logstash and other 3rd party connectors grand list

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel. Want to learn more about best practices for CEF collection? see here.


 


The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 


 


The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device’s vendor documentation for configuring the device to send events in Syslog or CEF.


 


Tip: Want to ingest test CEF data? here is how to do that.

 


For completeness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel’s Windows collection methods.


 
















































































































































































































































































































































































































































Vendor



Product



Connector



Information


Akamai   CEF Instructions

Apache



httpd



Syslog



Using rsyslog or logger as a file forwarder



Aruba



ClearPass



CEF



Instructions



AWS



CloudWatch



Custom 



Using Logstash. See here.



Barracuda



WAF



API



Sentinel built-in connector



Barracuda



CloudGen Firewall



API



Sentinel built-in connector



Carbon Black



Defense



Syslog



Instructions



Carbon Black



Response



Syslog



Instructions


Checkpoint   CEF

Sentinel Built in connector


Cisco ASA Cisco (CEF)

Sentinel built-in connector


Notes:


– Cisco ASA support uses Sentinel’s CEF pipeline. However, Cisco’s logging is not in CEF format.


– Make sure you disable logging timestamp using “no logging timestamp”. See here for more details.


Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco



Meraki



Syslog



Instructions


Event Types and Log Samples


Cisco eStreamer CEF

Using


Cisco Firepower Threat Defense Syslog

Instructions


Cisco FireSight

CEF



Using eStreamer eNcore


Cisco IronPort Web Security Appliance Syslog

Instructions


Cisco Nexus Syslog

Instructions


Cisco Umbrella Custom

See this blog post


Citrix Analytics API

Sentinel built-in connector


Cirtix NetScaler  Syslog

Instructions


Message format


Citrix NetScaler App FW CEF Instructions

CrowdStrike



Falcon



CEF



Use a SIEM connector installed on premises



CyberArk


Privileged Access Security

CEF



Instructions


Message format


Note that a  change is required in the MMA configuration



Darktrace



Immune



CEF



See announcement. Contact vendor for instructions.



Digital Guardian



 



CEF



3rd party instructions



Extrahop



Reveal



CEF



Sentinel built-in connector



F5



ASM (WAF)



CEF



Sentinel built-in connector



F5



BigIP



API


 



Sentinel built-in connector 



Forcepoint


Web Security (WebSense) CEF

Instructions


Detailed reference



Forcepoint


CASB CEF

Sentinel built-in connector



Forcepoint


DLP API

Sentinel built-in connector



Forcepoint


NGFW CEF

Sentinel built-in connector



Fortinet


  CEF

Sentinel built-in connector


Log message reference


CEF mapping and examples



Fortinet



SIEM



CEF



Instructions



HP



Printers



Syslog



Instructions



IBM



zSecure



CEF



See What’s new for zSecure V2.3.0


Note that it supports alerts only.



Imperva



SecureSphere



CEF



Instructions


Infoblox On-premises
appliance
Syslog Instructions
Kaspersky Security Center  Syslog Instructions

McAfee



ePO



Syslog



InstructionsKB Article


Note: TLS only (requires rsyslog TLS configuration)



McAfee



Web Gateway



CEF



Instructions



Microsoft



SQL



Windows Event Log



Instructions



Minerva Labs



 



CEF



Please ask the vendor for instructions.



NetApp



ONTAP



Syslog



Instructions


Note that those are management activity audit logs and not file usage activity logs.



Netflow



 



Logstash



Use the Netflow codec plug-in



Okta



 



Logstash



Logstash Plug-in



One Identity



Safeguard



CEF



Sentinel built-in connector



Oracle



DB



Syslog



Instructions



Palo Alto



PanOS



CEF



Sentinel built-in connector



Palo Alto



Panorama



CEF



Instructions



Palo Alto



Traps through Cortex



Syslog



Instructions


Notes:


– Require rsyslog configuration to support RFC5424


– TLS only (requires rsyslog TLS configuration)


– The certificate has to be signed by a public CA


Postgress DB Syslog, Windows Event log

Instructions


SAP Hana Syslog

Instructions (requires a SAP account)


Snort   Syslog

Instructions


SonicWall   CEF

Instructions


Make sure you:
– Select local use 4 as the facility.


– Select ArcSight as the Syslog format.


Squadra  secRMM API Sentinel built-in connector
Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel’s built-in queries use the default log format.

Symantec



DLP



Syslog


CEF



Instructions. Note that only UDP is supported


Instructions. Uses response automation.



Symantec



ICDX



API



Sentinel built-in connector



Symantec



WSG (Bluecoat)



Syslog



Instructions


Note that only TCP is supported which requires rsyslog configuration to use TCP.


Symantec   Endpoint Protection Manager Syslog Instructions  
Symantec Cloud Workload Protection API Instructions
Trend Micro  

CEF



Using Control Manager


Using LogForwarder


Trend Micro Deep Security

CEF



Sentinel built-in connector



Varonis



DatAlert



CEF



Instructions


Watchgaurd   CEF Instructions
Zimperium  
Mobile Threat Defense API Sentinel built-in connector 
zScaler Internet Access (ZIA) CEF Sentinel built-in connector
zScaler Private Access (ZPA) Logstash Use LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel’s native connector. 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.