Home
%3CLINGO-SUB%20id%3D%22lingo-sub-822693%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822693%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Azure%20sentinel%20planning%20on%20Normalising%20ingested%20logs%3F%20Other%20players%20in%20this%20space%20are%20normalising%20ingested%20logs%20(see%20Elastic%20Common%20Schema)%20and%20CEF%20being%20a%20legacy%20example.%20Is%20the%20Azure%20Sentinel%20Team%20planning%20on%20defining%20a%20normalised%20data%20model%20for%20ingested%20Azure%20and%20legacy%20logs%20%3F%20This%20would%20make%20querying%20data%20sets%20a%20lot%20simpler.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20logs%20are%20disparately%20sprayed%20across%20different%20log%20Analytics%20workspaces%20tables%20(this%20might%20be%20the%20wrong%20name)%3A%3C%2FP%3E%3CP%3ESignInLogs%20--%20AAD%20logs%3C%2FP%3E%3CP%3EAzureDiagnostics%20-%20SQL%20PaaS%20logs%3C%2FP%3E%3CP%3ESecurityEvent%20-%20Windows%20server%20logs%20-%20Split%20across%20windows%20and%3C%2FP%3E%3CP%3EUnix%20VM%20logs%20-%26nbsp%3B%3CSPAN%3ESyslog%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOtherwise%20if%20MS%20team%20can%20provide%20some%20guidance%20per%20Azure%20service%20and%20where%20the%20logs%20are%20recorded%20and%20how%20you%20can%20link%20or%20query%20across%20these%20unique%20Log%20Analytics%20tables%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011025%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011025%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20last%20two%20Fortinet%20links%20are%20dead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013906%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20fixed.%20I%20hope%20they%20don't%20change%20their%20links%20again...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024543%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024543%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20a%20single%20Syslog%2FCEF%20server%20be%20used%20to%20stream%20CEF%20and%20syslog%20data%20sources%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030375%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454716%22%20target%3D%22_blank%22%3E%40Chi_Duong%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20but%20it%20would%20require%20direct%20edit%20to%20the%20agent%20and%20syslog%20daemon%20configuration%20files.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030459%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*NOTE*%20We%20already%20have%20a%20support%20case%20with%20the%20vendor%20(Fortinet)%20but%20so%20far%20all%20we've%20got%20is%20%22we%20cannot%20help%20you%20now%2C%20we%20have%20only%20tested%20this%20out%20on%20virtual%20appliances%22.%20*NOTE*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20change%20the%20%22default%20query%22%20of%20a%20connector%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20bunch%20of%20physical%20FortiGate%20appliances%2C%20from%20whcih%20logshipping%20in%20CEF%20format%20to%20Sentinel%20works%20fine%20(We%20can%20see%20the%20entries%20in%20CommonSecurityLog)%20but%20they're%20not%20logged%20as%20%22Fortinet%22%20per%20se%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20example%20log%20post%3A%3C%2FP%3E%3CP%3E%60Oct%2024%2014%3A27%3A07%20DEVICE_HOSTNAME%20CEF%3A%200%7CFortinet%7CFortiGate-300E%7C6.0.5%2Cbuild0268%20(GA)%7C0000000013%7Cforward%20traffic%20close%7C5%7Cstart%3DOct%2024%202019%2014%3A27%3A07%20logver%3D60%20deviceExternalId%3DFG....%60%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20Fortinet%20connector%20says%20%22not%20connected%22.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158766i18DB7548D496C598%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20guess%20is%20because%20Sentinel%20is%20looking%20for%20something%20like%20this%20(as%20one%20of%20the%20example%20queries)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158767i8E5F53B192FB21F6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E...%20where%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%20%E2%80%A6%3CBR%20%2F%3EWe%20assume%20the%20culprit%20is%20that%20it%E2%80%99s%20looking%20for%20%E2%80%9CFortigate%E2%80%9D%2C%20not%20a%20wildcard%20%E2%80%9CFortigate*%E2%80%9D%2C%20and%20the%20Fortinet%20physical%20appliances%20report%20their%20model%20as%20Fortigate-%3CSTRONG%3E%24MODEL%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo..%20can%20we%20somehow%20change%20the%20%E2%80%9Cdefault%20query%E2%80%9D%20for%20the%20connector%20to%20either%20search%20for%20%E2%80%9CFortigate*%E2%80%9D%20or%20simply%20remove%20the%20%E2%80%9Cwhere%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%E2%80%9D%20clause%20completely%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030468%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20we%20are%20aware%20of%20this%20bug%20and%20are%20working%20to%20resolve.%20As%20you%20mentioned%2C%20it%20affects%20only%20the%20connector%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803891%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803891%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20network%20and%20security%20systems%20support%20either%20Syslog%20or%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.microfocus.com%2Ft5%2FArcSight-Connectors%2FArcSight-Common-Event-Format-CEF-Implementation-Standard%2Fta-p%2F1645557%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%3C%2FA%3E%20(which%20stands%20for%20Common%20Event%20Format)%20over%20Syslog%20as%20means%20for%20sending%20data%20to%20a%20SIEM.%20This%20makes%20Syslog%20or%20CEF%20the%20most%20straight%20forward%20ways%20to%20stream%20security%20and%20networking%20events%20to%20Azure%20Sentinel.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20advantage%20of%20CEF%20over%20Syslog%20is%20that%20it%20ensures%20the%20data%20is%20normalized%20making%20it%20more%20immediately%20useful%20for%20analysis%20using%20Sentinel%2C%20however%2C%20unlike%20many%20other%20SIEM%20products%2C%20Sentinel%20allows%20ingesting%20unparsed%20Syslog%20events%20and%20performing%20analytics%20on%20them%20using%20query%20time%20parsing.%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20number%20of%20systems%20supporting%20Syslog%20or%20CEF%20is%20in%20the%20hundreds%2C%20making%20the%20table%20below%20by%20no%20means%20comprehensive.%20We%20will%20update%20this%20list%20continuously.%20The%20table%20provides%20links%20to%20the%20source%20device's%20vendor%20documentation%20for%20configuring%20the%20device%20to%20send%20events%20in%20Syslog%20or%20CEF.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFor%20completness%2C%20we%20have%20included%20also%20sources%20that%20log%20to%20Sentinel%20directly%20using%20the%20native%20Sentinel%20API%20as%20well%20as%20those%20that%20can%20log%20to%20Windows%20Event%20Log%2C%20and%20be%20read%20by%20Sentinel's%20Windows%20collection%20methods.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CTABLE%20style%3D%22height%3A%202702px%3B%22%20title%3D%22Table%22%20width%3D%22755%22%3E%20%3CTBODY%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVendor%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EProduct%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EConnector%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CSTRONG%3EInformation%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EAkamai%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.akamai.com%2Ftools%2Fintegrations%2Fsiem%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EApache%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3Ehttpd%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.loggly.com%2Fultimate-guide%2Fcentralizing-apache-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20rsyslog%20or%20logger%20as%20a%20file%20forwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAruba%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EClearPass%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.arubanetworks.com%2Ftechdocs%2FClearPass%2F6.8%2FPolicyManager%2Findex.htm%23CPPM_UserGuide%2FAdmin%2FsyslogExportFilters_add_syslog_filter_general.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDefense%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2Freference%2Fcb-defense%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EResponse%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2F2016%2F06%2Fcb-event-forwarder-3.2.0-released%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECheckpoint%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-checkpoint%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built%20in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20193px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20156.667px%3B%22%3EASA%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%2088.6667px%3B%22%3ECisco%20(CEF)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESentinel%20built-in%20CEF%20connector%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Cisco%20ASA%20support%20uses%20Sentinel's%20CEF%20pipeline.%20However%2C%20Cisco's%20logging%20is%20not%20in%20CEF%20format.%3C%2FP%3E%20%3CP%3E-%20Make%20sure%20you%20disable%20logging%20timestamp%20using%20%22no%20logging%20timestamp%22.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa82%2Fcommand%2Freference%2Fcmd_ref%2Fl2.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Ehere%3C%2FA%3E%26nbsp%3Bfor%20more%20details.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Security%20Gateway%20(CWS)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EWeb%20Security%20Appliances%20(WSA)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EMeraki%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Server_Overview_and_Configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Event_Types_and_Log_Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Types%20and%20Log%20Samples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EFirepower%20Threat%20Defense%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Ffirepower%2F601%2Fconfiguration%2Fguide%2Ffpmc-config-guide-v601%2FConfiguring_External_Alerting.html%3FbookSearch%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EIronPort%20Web%20Security%20Appliance%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.splunk.com%2FSet_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3ENexus%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fswitches%2Fdatacenter%2Fnexus5000%2Fsw%2Fconfiguration%2Fguide%2Fcli_rel_4_1%2FCisco_Nexus_5000_Series_Switch_CLI_Software_Configuration_Guide_chapter26.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECirtix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper-docs.citrix.com%2Fprojects%2Fnetscaler-syslog-message-reference%2Fen%2F12.0%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECitrix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%20App%20FW%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX136146%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECrowdStrike%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EFalcon%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3EUse%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.crowdstrike.com%2Fresources%2Fdata-sheets%2Ffalcon-connector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESIEM%20connector%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einstalled%20on%20premises%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECyberArk%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%3CSPAN%3EPrivileged%20Access%20Security%3C%2FSPAN%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FOutbound-Sending-%2520PTA-syslog-Records-to-SIEM.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FCEF-Based-Format-Definition.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20a%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCannot-get-CommonSecurityLog-Events-to-show-in-Sentinel-quot%2Fm-p%2F508132%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Echange%20is%20required%20in%20the%20MMA%20configuration%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EDarktrace%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EImmune%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.darktrace.com%2Fen%2Fpress%2F2016%2F73%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eannouncement%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWAF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-f5%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EBigIP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESyslog%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.f5.com%2Fcsp%2Farticle%2FK13080%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%2C%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechdocs.f5.com%2Fkb%2Fen-us%2Fproducts%2Fbig-ip_ltm%2Fmanuals%2Fproduct%2Ftmos-implementations-11-5-1%2F23.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETLS%20instructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EDirect%3A%20%3CA%20href%3D%22https%3A%2F%2Fdevcentral.f5.com%2Fs%2Farticles%2FIntegrating-the-F5-BIGIP-with-Azure-Sentinel%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fclouddocs.f5.com%2Fproducts%2Fextensions%2Ff5-telemetry-streaming%2Flatest%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosofteur.sharepoint.com%2F%3Av%3A%2Ft%2FAzureSentinelProductInfo%2FEYoEiJ0yaXFCqkySHspyz6YByAYIkehOSSvbBQn6UoxiJQ%3Fe%3De5pkhR%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20video%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFireEye%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3ENX%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWe%20could%20not%20find%20the%20vendors%20documentation.%20See%203rd%20party%20instructions%20%3CA%20href%3D%22https%3A%2F%2Finsightidr.help.rapid7.com%2Fdocs%2Ffireeye-nx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EForcepoint%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EWeb%20Security%20(WebSense)%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv78%2Ftriton_web_help%2Fsettings_siem_explain.aspx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv76%2Fsiem%2Fsiem.pdf%23page%3D22%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDetailed%20reference%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fortinet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F998820%2Ffortios-to-cef-log-field-mapping-guidelines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20message%20reference%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F127777%2Fexamples-of-cef-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%20mapping%20and%20examples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EHP%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPrinters%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc04531741%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EIBM%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EzSecure%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSS2RWS_2.3.0%2Fcom.ibm.zsecure.doc_2.3.0%2Fabout_this_release%2Fabout_rel_whats_new.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%20for%20zSecure%20V2.3.0%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20it%20supports%20alerts%20only.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EImperva%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ESecureSphere%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.imperva.com%2Fdocs%2FSB_Imperva_SecureSphere_CEF_guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%3CSTRONG%3EInfoblox%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EOn-premises%20appliance%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2FNAG8%2FUsing%2Ba%2BSyslog%2BServer%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EKaspersky%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ESecurity%20Center%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.kaspersky.com%2FKSC%2FEventExport%2Fen-US%2F140022.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EePO%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.mcafee.com%2Fbundle%2Fepolicy-orchestrator-5.9.1-product-guide%2Fpage%2FGUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB87927%26amp%3Bactp%3Dnull%26amp%3Bviewlocale%3Den_US%26amp%3BshowDraft%3Dfalse%26amp%3Bplatinum_status%3Dfalse%26amp%3Blocale%3Den_US%26amp%3Bbk%3Dn%26amp%3B_ga%3D2.110407365.1184558696.1552347886-1519183354.1550404246%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB%20Article%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%3A%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration)%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWeb%20Gateway%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.mcafee.com%2Ft5%2FDocuments%2FWeb-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other%2Fta-p%2F554145%23toc-hId-440677315%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMicrosoft%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3ESQL%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWindows%20Event%20Log%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CSTRONG%3ENetApp%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3EONTAP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.netapp.com%2Fontap-9%2Findex.jsp%3Ftopic%3D%252Fcom.netapp.doc.dot-cm-sag%252FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20those%20are%20management%20activity%20audit%20logs%20and%20not%20file%20usage%20activity%20logs.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EOracle%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EDB%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.oracle.com%2Fcd%2FB28359_01%2Fnetwork.111%2Fb28531%2Fauditing.htm%23DBSEG66112%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EPanOS%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPanorama%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fpanorama%2F9-0%2Fpanorama-admin%2Fmanage-log-collection%2Fconfigure-log-forwarding-from-panorama-to-external-destinations.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20166px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ETraps%20through%20Cortex%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Ftraps%2Ftms%2Ftraps-management-service-admin%2Fview-and-manage-logs%2Fforward-traps-logs-to-a-syslog-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Require%20rsyslog%20configuration%20to%20support%20RFC5424%3C%2FP%3E%20%3CP%3E-%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration%3C%2FA%3E)%3C%2FP%3E%20%3CP%3E-%20The%20certificate%20has%20to%20be%20signed%20by%20a%20public%20CA%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%3CSTRONG%3EPostgress%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3EDB%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3ESyslog%2C%20Windows%20Event%20log%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.postgresql.org%2Fdocs%2F9.1%2Fruntime-config-logging.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ESAP%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3EHaha%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fknowledge%2Fpreview%2Fen%2F2624117%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%20(requires%20a%20SAP%20account)%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESonicWall%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fhelp.sonicwall.com%2Fhelp%2Fsw%2Feng%2F7020%2F26%2F2%2F3%2Fcontent%2FLog_Syslog.120.2.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EMake%20sure%20you%3A%3CBR%20%2F%3E-%20Select%20local%20use%204%20as%20the%20facility.%3C%2FP%3E%20%3CP%3E-%20Select%20ArcSight%20as%20the%20Syslog%20format.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESquid%20Proxy%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3EConfigure%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.squid-cache.org%2FDoc%2Fconfig%2Faccess_log%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Eaccess%20logs%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20either%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.squid-cache.org%2FFeatures%2FLogModules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ETCP%20of%20UDP%20modules%3C%2FA%3E.%20Sentinel's%20built-in%20queries%20use%20the%20default%20log%20format.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWSG%20(Bluecoat)%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fdocs%2FTECH242216%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20only%26nbsp%3BTCP%20is%20supported%20which%20requires%20rsyslog%20configuration%20to%20use%20TCP.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EEndpoint%20Protection%20Manager%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO81169.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Workload%20Protection%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3EAPI%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.howto130011.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fesupport.trendmicro.com%2Fmedia%2F13970354%2FTMCM_SIEM_Integration.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20Control%20Manager%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fdocs.trendmicro.com%2Fen-us%2Fenterprise%2Fcontrol-manager-70%2Ftools-and-additional%2Fusing-logforwarder%2Fconfiguring-logforwa.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20LogForwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVaronis%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDatAlert%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Finfo.varonis.com%2Fhubfs%2Fdocs%2Fsplunk-app%2FVaronis-App-for-Splunk-User-Guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3EWatchgaurd%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.watchguard.com%2Fhelp%2Fdocs%2Fhelp-center%2Fen-US%2FContent%2Fen-US%2FWi-Fi-Cloud%2Fmanage_wirelessmanager%2Fconfiguration%2Fsystem%2Farcsight_integration.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EzScaler%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3ESee%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fdocumentation-knowledgebase%2Fanalytics%2Fnss%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EzScaler%20NSS%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zscaler.com%2Fresources%2Fsolution-briefs%2Fpartner-hp-arcsight.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EArcSight%20integration%20guide%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3C%2FTBODY%3E%20%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-803891%22%20slang%3D%22en-US%22%3E%3CP%3EWant%20to%20connect%20a%20source%20system%20to%20Sentinel%20to%20send%20events%3F%20The%20chances%20are%20that%20it%20supported%20streaming%20events%20using%20Syslog%20or%20CEF%2C%20or%20connects%20directly.%20This%20article%20provides%20pointers%20for%20configuring%20different%20security%20and%20networking%20systems%20to%20send%20events%20using%20Syslog%2C%20CEF%20or%20directly.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-803891%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel.

 

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel, however, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.

 

For completness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel's Windows collection methods.

 

Vendor

Product

Connector

Information

Akamai   CEF Instructions

Apache

httpd

Syslog

Using rsyslog or logger as a file forwarder

Aruba

ClearPass

CEF

Instructions

Carbon Black

Defense

Syslog

Instructions

Carbon Black

Response

Syslog

Instructions

Checkpoint   CEF

Sentinel Built in CEF connector

Cisco ASA Cisco (CEF)

Sentinel built-in CEF connector

Notes:

- Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format.

- Make sure you disable logging timestamp using "no logging timestamp". See here for more details.

Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco

Meraki

Syslog

Instructions

Event Types and Log Samples

Cisco Firepower Threat Defense Syslog

Instructions

Cisco IronPort Web Security Appliance Syslog

Instructions

Cisco Nexus Syslog

Instructions

Cirtix NetScaler  Syslog

Instructions

Message format

Citrix NetScaler App FW CEF Instructions

CrowdStrike

Falcon

CEF

Use a SIEM connector installed on premises

CyberArk

Privileged Access Security

CEF

Instructions

Message format

Note that a  change is required in the MMA configuration

Darktrace

Immune

CEF

See announcement.

F5

WAF

CEF

Sentinel Built-in connector

F5

BigIP

Syslog

Syslog: Instructions, TLS instructions

Direct: bloginstructionsHow to video

FireEye

NX CEF

We could not find the vendors documentation. See 3rd party instructions here.

Forcepoint

Web Security (WebSense) CEF

Instructions

Detailed reference

Fortinet

   

Sentinel Built-in CEF connector

Log message reference

CEF mapping and examples

HP

Printers

Syslog

Instructions

IBM

zSecure

CEF

See What's new for zSecure V2.3.0

Note that it supports alerts only.

Imperva

SecureSphere

CEF

Instructions

Infoblox On-premises appliance Syslog Instructions
Kaspersky Security Center  Syslog Instructions

McAfee

ePO

Syslog

InstructionsKB Article

Note: TLS only (requires rsyslog TLS configuration)

McAfee

Web Gateway

CEF

Instructions

Microsoft

SQL

Windows Event Log

Instructions

NetApp

ONTAP

Syslog

Instructions

Note that those are management activity audit logs and not file usage activity logs.

Oracle

DB

Syslog

Instructions

Palo Alto

PanOS

CEF

Sentinel Built-in CEF connector

Palo Alto

Panorama

CEF

Instructions

Palo Alto

Traps through Cortex

Syslog

Instructions

Notes:

- Require rsyslog configuration to support RFC5424

- TLS only (requires rsyslog TLS configuration)

- The certificate has to be signed by a public CA

Postgress DB Syslog, Windows Event log

Instructions

SAP Haha Syslog

Instructions (requires a SAP account)

SonicWall   CEF

Instructions

Make sure you:
- Select local use 4 as the facility.

- Select ArcSight as the Syslog format.

Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel's built-in queries use the default log format.

Symantec

WSG (Bluecoat)

Syslog

Instructions

Note that only TCP is supported which requires rsyslog configuration to use TCP.

Symantec   Endpoint Protection Manager Syslog Instructions  
Symantec Cloud Workload Protection API Instructions

Trend Micro

 

CEF

Using Control Manager

Using LogForwarder

Varonis

DatAlert

CEF

Instructions

Watchgaurd   CEF Instructions
zScaler   CEF See zScaler NSS and the ArcSight integration guide.
7 Comments
New Contributor

Is Azure sentinel planning on Normalising ingested logs? Other players in this space are normalising ingested logs (see Elastic Common Schema) and CEF being a legacy example. Is the Azure Sentinel Team planning on defining a normalised data model for ingested Azure and legacy logs ? This would make querying data sets a lot simpler.

 

At the moment logs are disparately sprayed across different log Analytics workspaces tables (this might be the wrong name):

SignInLogs -- AAD logs

AzureDiagnostics - SQL PaaS logs

SecurityEvent - Windows server logs - Split across windows and

Unix VM logs - Syslog

 

Otherwise if MS team can provide some guidance per Azure service and where the logs are recorded and how you can link or query across these unique Log Analytics tables?

 

Thanks in advance for your assistance. 

 

 

Frequent Visitor

The last two Fortinet links are dead.

Microsoft

@arvkris : fixed. I hope they don't change their links again...

Visitor

Can a single Syslog/CEF server be used to stream CEF and syslog data sources?

Microsoft

@Chi_Duong : Yes, but it would require direct edit to the agent and syslog daemon configuration files.

Frequent Visitor

 

*NOTE* We already have a support case with the vendor (Fortinet) but so far all we've got is "we cannot help you now, we have only tested this out on virtual appliances". *NOTE*

 

Is there any way to change the "default query" of a connector?

 

We have a bunch of physical FortiGate appliances, from whcih logshipping in CEF format to Sentinel works fine (We can see the entries in CommonSecurityLog) but they're not logged as "Fortinet" per se;

 

An example log post:

`Oct 24 14:27:07 DEVICE_HOSTNAME CEF: 0|Fortinet|FortiGate-300E|6.0.5,build0268 (GA)|0000000013|forward traffic close|5|start=Oct 24 2019 14:27:07 logver=60 deviceExternalId=FG....`

 

However, the Fortinet connector says "not connected".

clipboard_image_0.png

 

 

Our guess is because Sentinel is looking for something like this (as one of the example queries):

 

clipboard_image_1.png

... where DeviceProduct == “Fortigate” …
We assume the culprit is that it’s looking for “Fortigate”, not a wildcard “Fortigate*”, and the Fortinet physical appliances report their model as Fortigate-$MODEL.

 

So.. can we somehow change the “default query” for the connector to either search for “Fortigate*” or simply remove the “where DeviceProduct == “Fortigate”” clause completely?

 

Thank you in advance.

 

Microsoft

@arvkris : we are aware of this bug and are working to resolve. As you mentioned, it affects only the connector page.