Home
%3CLINGO-SUB%20id%3D%22lingo-sub-822693%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822693%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Azure%20sentinel%20planning%20on%20Normalising%20ingested%20logs%3F%20Other%20players%20in%20this%20space%20are%20normalising%20ingested%20logs%20(see%20Elastic%20Common%20Schema)%20and%20CEF%20being%20a%20legacy%20example.%20Is%20the%20Azure%20Sentinel%20Team%20planning%20on%20defining%20a%20normalised%20data%20model%20for%20ingested%20Azure%20and%20legacy%20logs%20%3F%20This%20would%20make%20querying%20data%20sets%20a%20lot%20simpler.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20logs%20are%20disparately%20sprayed%20across%20different%20log%20Analytics%20workspaces%20tables%20(this%20might%20be%20the%20wrong%20name)%3A%3C%2FP%3E%3CP%3ESignInLogs%20--%20AAD%20logs%3C%2FP%3E%3CP%3EAzureDiagnostics%20-%20SQL%20PaaS%20logs%3C%2FP%3E%3CP%3ESecurityEvent%20-%20Windows%20server%20logs%20-%20Split%20across%20windows%20and%3C%2FP%3E%3CP%3EUnix%20VM%20logs%20-%26nbsp%3B%3CSPAN%3ESyslog%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOtherwise%20if%20MS%20team%20can%20provide%20some%20guidance%20per%20Azure%20service%20and%20where%20the%20logs%20are%20recorded%20and%20how%20you%20can%20link%20or%20query%20across%20these%20unique%20Log%20Analytics%20tables%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011025%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011025%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20last%20two%20Fortinet%20links%20are%20dead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013906%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20fixed.%20I%20hope%20they%20don't%20change%20their%20links%20again...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024543%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024543%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20a%20single%20Syslog%2FCEF%20server%20be%20used%20to%20stream%20CEF%20and%20syslog%20data%20sources%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030375%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454716%22%20target%3D%22_blank%22%3E%40Chi_Duong%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20but%20it%20would%20require%20direct%20edit%20to%20the%20agent%20and%20syslog%20daemon%20configuration%20files.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030459%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*NOTE*%20We%20already%20have%20a%20support%20case%20with%20the%20vendor%20(Fortinet)%20but%20so%20far%20all%20we've%20got%20is%20%22we%20cannot%20help%20you%20now%2C%20we%20have%20only%20tested%20this%20out%20on%20virtual%20appliances%22.%20*NOTE*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20change%20the%20%22default%20query%22%20of%20a%20connector%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20bunch%20of%20physical%20FortiGate%20appliances%2C%20from%20whcih%20logshipping%20in%20CEF%20format%20to%20Sentinel%20works%20fine%20(We%20can%20see%20the%20entries%20in%20CommonSecurityLog)%20but%20they're%20not%20logged%20as%20%22Fortinet%22%20per%20se%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20example%20log%20post%3A%3C%2FP%3E%3CP%3E%60Oct%2024%2014%3A27%3A07%20DEVICE_HOSTNAME%20CEF%3A%200%7CFortinet%7CFortiGate-300E%7C6.0.5%2Cbuild0268%20(GA)%7C0000000013%7Cforward%20traffic%20close%7C5%7Cstart%3DOct%2024%202019%2014%3A27%3A07%20logver%3D60%20deviceExternalId%3DFG....%60%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20Fortinet%20connector%20says%20%22not%20connected%22.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158766i18DB7548D496C598%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20guess%20is%20because%20Sentinel%20is%20looking%20for%20something%20like%20this%20(as%20one%20of%20the%20example%20queries)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158767i8E5F53B192FB21F6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E...%20where%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%20%E2%80%A6%3CBR%20%2F%3EWe%20assume%20the%20culprit%20is%20that%20it%E2%80%99s%20looking%20for%20%E2%80%9CFortigate%E2%80%9D%2C%20not%20a%20wildcard%20%E2%80%9CFortigate*%E2%80%9D%2C%20and%20the%20Fortinet%20physical%20appliances%20report%20their%20model%20as%20Fortigate-%3CSTRONG%3E%24MODEL%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo..%20can%20we%20somehow%20change%20the%20%E2%80%9Cdefault%20query%E2%80%9D%20for%20the%20connector%20to%20either%20search%20for%20%E2%80%9CFortigate*%E2%80%9D%20or%20simply%20remove%20the%20%E2%80%9Cwhere%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%E2%80%9D%20clause%20completely%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030468%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20we%20are%20aware%20of%20this%20bug%20and%20are%20working%20to%20resolve.%20As%20you%20mentioned%2C%20it%20affects%20only%20the%20connector%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803891%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803891%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20network%20and%20security%20systems%20support%20either%20Syslog%20or%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.microfocus.com%2Ft5%2FArcSight-Connectors%2FArcSight-Common-Event-Format-CEF-Implementation-Standard%2Fta-p%2F1645557%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%3C%2FA%3E%20(which%20stands%20for%20Common%20Event%20Format)%20over%20Syslog%20as%20means%20for%20sending%20data%20to%20a%20SIEM.%20This%20makes%20Syslog%20or%20CEF%20the%20most%20straight%20forward%20ways%20to%20stream%20security%20and%20networking%20events%20to%20Azure%20Sentinel.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20advantage%20of%20CEF%20over%20Syslog%20is%20that%20it%20ensures%20the%20data%20is%20normalized%20making%20it%20more%20immediately%20useful%20for%20analysis%20using%20Sentinel%2C%20however%2C%20unlike%20many%20other%20SIEM%20products%2C%20Sentinel%20allows%20ingesting%20unparsed%20Syslog%20events%20and%20performing%20analytics%20on%20them%20using%20query%20time%20parsing.%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20number%20of%20systems%20supporting%20Syslog%20or%20CEF%20is%20in%20the%20hundreds%2C%20making%20the%20table%20below%20by%20no%20means%20comprehensive.%20We%20will%20update%20this%20list%20continuously.%20The%20table%20provides%20links%20to%20the%20source%20device's%20vendor%20documentation%20for%20configuring%20the%20device%20to%20send%20events%20in%20Syslog%20or%20CEF.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFor%20completness%2C%20we%20have%20included%20also%20sources%20that%20log%20to%20Sentinel%20directly%20using%20the%20native%20Sentinel%20API%20as%20well%20as%20those%20that%20can%20log%20to%20Windows%20Event%20Log%2C%20and%20be%20read%20by%20Sentinel's%20Windows%20collection%20methods.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CTABLE%20style%3D%22height%3A%202699px%3B%22%20title%3D%22Table%22%20width%3D%22755%22%3E%20%3CTBODY%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVendor%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EProduct%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EConnector%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CSTRONG%3EInformation%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EAkamai%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.akamai.com%2Ftools%2Fintegrations%2Fsiem%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EApache%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3Ehttpd%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.loggly.com%2Fultimate-guide%2Fcentralizing-apache-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20rsyslog%20or%20logger%20as%20a%20file%20forwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAruba%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EClearPass%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.arubanetworks.com%2Ftechdocs%2FClearPass%2F6.8%2FPolicyManager%2Findex.htm%23CPPM_UserGuide%2FAdmin%2FsyslogExportFilters_add_syslog_filter_general.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDefense%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2Freference%2Fcb-defense%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EResponse%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2F2016%2F06%2Fcb-event-forwarder-3.2.0-released%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECheckpoint%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-checkpoint%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built%20in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20193px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20156.667px%3B%22%3EASA%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%2088.6667px%3B%22%3ECisco%20(CEF)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESentinel%20built-in%20CEF%20connector%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Cisco%20ASA%20support%20uses%20Sentinel's%20CEF%20pipeline.%20However%2C%20Cisco's%20logging%20is%20not%20in%20CEF%20format.%3C%2FP%3E%20%3CP%3E-%20Make%20sure%20you%20disable%20logging%20timestamp%20using%20%22no%20logging%20timestamp%22.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa82%2Fcommand%2Freference%2Fcmd_ref%2Fl2.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Ehere%3C%2FA%3E%26nbsp%3Bfor%20more%20details.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Security%20Gateway%20(CWS)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EWeb%20Security%20Appliances%20(WSA)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EMeraki%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Server_Overview_and_Configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Event_Types_and_Log_Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Types%20and%20Log%20Samples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EFirepower%20Threat%20Defense%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Ffirepower%2F601%2Fconfiguration%2Fguide%2Ffpmc-config-guide-v601%2FConfiguring_External_Alerting.html%3FbookSearch%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EIronPort%20Web%20Security%20Appliance%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.splunk.com%2FSet_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3ENexus%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fswitches%2Fdatacenter%2Fnexus5000%2Fsw%2Fconfiguration%2Fguide%2Fcli_rel_4_1%2FCisco_Nexus_5000_Series_Switch_CLI_Software_Configuration_Guide_chapter26.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECirtix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper-docs.citrix.com%2Fprojects%2Fnetscaler-syslog-message-reference%2Fen%2F12.0%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECitrix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%20App%20FW%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX136146%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECrowdStrike%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EFalcon%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3EUse%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.crowdstrike.com%2Fresources%2Fdata-sheets%2Ffalcon-connector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESIEM%20connector%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einstalled%20on%20premises%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECyberArk%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%3CSPAN%3EPrivileged%20Access%20Security%3C%2FSPAN%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FOutbound-Sending-%2520PTA-syslog-Records-to-SIEM.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FCEF-Based-Format-Definition.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20a%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCannot-get-CommonSecurityLog-Events-to-show-in-Sentinel-quot%2Fm-p%2F508132%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Echange%20is%20required%20in%20the%20MMA%20configuration%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EDarktrace%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EImmune%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.darktrace.com%2Fen%2Fpress%2F2016%2F73%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eannouncement%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWAF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-f5%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20138px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EBigIP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.f5.com%2Fcsp%2Farticle%2FK13080%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechdocs.f5.com%2Fkb%2Fen-us%2Fproducts%2Fbig-ip_ltm%2Fmanuals%2Fproduct%2Ftmos-implementations-11-5-1%2F23.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETLS%20instructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20F5%20BigIP%20also%20supports%20%3CA%20href%3D%22https%3A%2F%2Fclouddocs.f5.com%2Fproducts%2Fextensions%2Ff5-telemetry-streaming%2Flatest%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edirect%20integration%3C%2FA%3E%20with%20Sentinel%20(also%20see%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosofteur.sharepoint.com%2F%3Av%3A%2Ft%2FAzureSentinelProductInfo%2FEYoEiJ0yaXFCqkySHspyz6YByAYIkehOSSvbBQn6UoxiJQ%3Fe%3De5pkhR%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20video%3C%2FA%3E)%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFireEye%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3ENX%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWe%20could%20not%20find%20the%20vendors%20documentation.%20See%203rd%20party%20instructions%20%3CA%20href%3D%22https%3A%2F%2Finsightidr.help.rapid7.com%2Fdocs%2Ffireeye-nx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EForcepoint%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EWeb%20Security%20(WebSense)%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv78%2Ftriton_web_help%2Fsettings_siem_explain.aspx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv76%2Fsiem%2Fsiem.pdf%23page%3D22%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDetailed%20reference%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fortinet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F998820%2Ffortios-to-cef-log-field-mapping-guidelines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20message%20reference%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F127777%2Fexamples-of-cef-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%20mapping%20and%20examples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EHP%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3E%20%3CP%3EPrinters%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc04531741%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EIBM%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EzSecure%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSS2RWS_2.3.0%2Fcom.ibm.zsecure.doc_2.3.0%2Fabout_this_release%2Fabout_rel_whats_new.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%20for%20zSecure%20V2.3.0%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20it%20supports%20alerts%20only.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EImperva%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ESecureSphere%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.imperva.com%2Fdocs%2FSB_Imperva_SecureSphere_CEF_guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%3CSTRONG%3EInfoblox%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EOn-premises%20appliance%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2FNAG8%2FUsing%2Ba%2BSyslog%2BServer%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EKaspersky%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ESecurity%20Center%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.kaspersky.com%2FKSC%2FEventExport%2Fen-US%2F140022.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EePO%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.mcafee.com%2Fbundle%2Fepolicy-orchestrator-5.9.1-product-guide%2Fpage%2FGUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB87927%26amp%3Bactp%3Dnull%26amp%3Bviewlocale%3Den_US%26amp%3BshowDraft%3Dfalse%26amp%3Bplatinum_status%3Dfalse%26amp%3Blocale%3Den_US%26amp%3Bbk%3Dn%26amp%3B_ga%3D2.110407365.1184558696.1552347886-1519183354.1550404246%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB%20Article%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%3A%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration)%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWeb%20Gateway%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.mcafee.com%2Ft5%2FDocuments%2FWeb-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other%2Fta-p%2F554145%23toc-hId-440677315%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMicrosoft%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3ESQL%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWindows%20Event%20Log%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CSTRONG%3ENetApp%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3EONTAP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.netapp.com%2Fontap-9%2Findex.jsp%3Ftopic%3D%252Fcom.netapp.doc.dot-cm-sag%252FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20those%20are%20management%20activity%20audit%20logs%20and%20not%20file%20usage%20activity%20logs.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EOracle%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EDB%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.oracle.com%2Fcd%2FB28359_01%2Fnetwork.111%2Fb28531%2Fauditing.htm%23DBSEG66112%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EPanOS%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPanorama%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fpanorama%2F9-0%2Fpanorama-admin%2Fmanage-log-collection%2Fconfigure-log-forwarding-from-panorama-to-external-destinations.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20166px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ETraps%20through%20Cortex%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Ftraps%2Ftms%2Ftraps-management-service-admin%2Fview-and-manage-logs%2Fforward-traps-logs-to-a-syslog-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Require%20rsyslog%20configuration%20to%20support%20RFC5424%3C%2FP%3E%20%3CP%3E-%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration%3C%2FA%3E)%3C%2FP%3E%20%3CP%3E-%20The%20certificate%20has%20to%20be%20signed%20by%20a%20public%20CA%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%3CSTRONG%3EPostgress%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3EDB%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3ESyslog%2C%20Windows%20Event%20log%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.postgresql.org%2Fdocs%2F9.1%2Fruntime-config-logging.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESAP%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EHaha%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fknowledge%2Fpreview%2Fen%2F2624117%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%20(requires%20a%20SAP%20account)%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESonicWall%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fhelp.sonicwall.com%2Fhelp%2Fsw%2Feng%2F7020%2F26%2F2%2F3%2Fcontent%2FLog_Syslog.120.2.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EMake%20sure%20you%3A%3CBR%20%2F%3E-%20Select%20local%20use%204%20as%20the%20facility.%3C%2FP%3E%20%3CP%3E-%20Select%20ArcSight%20as%20the%20Syslog%20format.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESquid%20Proxy%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3EConfigure%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.squid-cache.org%2FDoc%2Fconfig%2Faccess_log%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Eaccess%20logs%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20either%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.squid-cache.org%2FFeatures%2FLogModules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ETCP%20of%20UDP%20modules%3C%2FA%3E.%20Sentinel's%20built-in%20queries%20use%20the%20default%20log%20format.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWSG%20(Bluecoat)%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fdocs%2FTECH242216%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20only%26nbsp%3BTCP%20is%20supported%20which%20requires%20rsyslog%20configuration%20to%20use%20TCP.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EEndpoint%20Protection%20Manager%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO81169.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Workload%20Protection%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3EAPI%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.howto130011.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fesupport.trendmicro.com%2Fmedia%2F13970354%2FTMCM_SIEM_Integration.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20Control%20Manager%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fdocs.trendmicro.com%2Fen-us%2Fenterprise%2Fcontrol-manager-70%2Ftools-and-additional%2Fusing-logforwarder%2Fconfiguring-logforwa.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20LogForwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVaronis%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDatAlert%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Finfo.varonis.com%2Fhubfs%2Fdocs%2Fsplunk-app%2FVaronis-App-for-Splunk-User-Guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3EWatchgaurd%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.watchguard.com%2Fhelp%2Fdocs%2Fhelp-center%2Fen-US%2FContent%2Fen-US%2FWi-Fi-Cloud%2Fmanage_wirelessmanager%2Fconfiguration%2Fsystem%2Farcsight_integration.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EzScaler%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3ESee%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fdocumentation-knowledgebase%2Fanalytics%2Fnss%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EzScaler%20NSS%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zscaler.com%2Fresources%2Fsolution-briefs%2Fpartner-hp-arcsight.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EArcSight%20integration%20guide%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3C%2FTBODY%3E%20%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-803891%22%20slang%3D%22en-US%22%3E%3CP%3EWant%20to%20connect%20a%20source%20system%20to%20Sentinel%20to%20send%20events%3F%20The%20chances%20are%20that%20it%20supported%20streaming%20events%20using%20Syslog%20or%20CEF.%20This%20article%20provides%20pointers%20for%20configuring%20different%20security%20and%20networking%20systems%20to%20send%20events%20using%20Syslog%20or%20CEF.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-803891%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel.

 

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel, however, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.

 

For completness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel's Windows collection methods.

 

Vendor

Product

Connector

Information

Akamai   CEF Instructions

Apache

httpd

Syslog

Using rsyslog or logger as a file forwarder

Aruba

ClearPass

CEF

Instructions

Carbon Black

Defense

Syslog

Instructions

Carbon Black

Response

Syslog

Instructions

Checkpoint   CEF

Sentinel Built in CEF connector

Cisco ASA Cisco (CEF)

Sentinel built-in CEF connector

Notes:

- Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format.

- Make sure you disable logging timestamp using "no logging timestamp". See here for more details.

Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco

Meraki

Syslog

Instructions

Event Types and Log Samples

Cisco Firepower Threat Defense Syslog

Instructions

Cisco IronPort Web Security Appliance Syslog

Instructions

Cisco Nexus Syslog

Instructions

Cirtix NetScaler  Syslog

Instructions

Message format

Citrix NetScaler App FW CEF Instructions

CrowdStrike

Falcon

CEF

Use a SIEM connector installed on premises

CyberArk

Privileged Access Security

CEF

Instructions

Message format

Note that a  change is required in the MMA configuration

Darktrace

Immune

CEF

See announcement.

F5

WAF

CEF

Sentinel Built-in connector

F5

BigIP

Syslog

Instructions

TLS instructions

Note that F5 BigIP also supports direct integration with Sentinel (also see the How to video)

FireEye

NX CEF

We could not find the vendors documentation. See 3rd party instructions here.

Forcepoint

Web Security (WebSense) CEF

Instructions

Detailed reference

Fortinet

   

Sentinel Built-in CEF connector

Log message reference

CEF mapping and examples

HP

Printers

Syslog

Instructions

IBM

zSecure

CEF

See What's new for zSecure V2.3.0

Note that it supports alerts only.

Imperva

SecureSphere

CEF

Instructions

Infoblox On-premises appliance Syslog Instructions
Kaspersky Security Center  Syslog Instructions

McAfee

ePO

Syslog

InstructionsKB Article

Note: TLS only (requires rsyslog TLS configuration)

McAfee

Web Gateway

CEF

Instructions

Microsoft

SQL

Windows Event Log

Instructions

NetApp

ONTAP

Syslog

Instructions

Note that those are management activity audit logs and not file usage activity logs.

Oracle

DB

Syslog

Instructions

Palo Alto

PanOS

CEF

Sentinel Built-in CEF connector

Palo Alto

Panorama

CEF

Instructions

Palo Alto

Traps through Cortex

Syslog

Instructions

Notes:

- Require rsyslog configuration to support RFC5424

- TLS only (requires rsyslog TLS configuration)

- The certificate has to be signed by a public CA

Postgress DB Syslog, Windows Event log

Instructions

SAP Haha Syslog

Instructions (requires a SAP account)

SonicWall   CEF

Instructions

Make sure you:
- Select local use 4 as the facility.

- Select ArcSight as the Syslog format.

Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel's built-in queries use the default log format.

Symantec

WSG (Bluecoat)

Syslog

Instructions

Note that only TCP is supported which requires rsyslog configuration to use TCP.

Symantec   Endpoint Protection Manager Syslog Instructions  
Symantec Cloud Workload Protection API Instructions

Trend Micro

 

CEF

Using Control Manager

Using LogForwarder

Varonis

DatAlert

CEF

Instructions

Watchgaurd   CEF Instructions
zScaler   CEF See zScaler NSS and the ArcSight integration guide.
7 Comments
New Contributor

Is Azure sentinel planning on Normalising ingested logs? Other players in this space are normalising ingested logs (see Elastic Common Schema) and CEF being a legacy example. Is the Azure Sentinel Team planning on defining a normalised data model for ingested Azure and legacy logs ? This would make querying data sets a lot simpler.

 

At the moment logs are disparately sprayed across different log Analytics workspaces tables (this might be the wrong name):

SignInLogs -- AAD logs

AzureDiagnostics - SQL PaaS logs

SecurityEvent - Windows server logs - Split across windows and

Unix VM logs - Syslog

 

Otherwise if MS team can provide some guidance per Azure service and where the logs are recorded and how you can link or query across these unique Log Analytics tables?

 

Thanks in advance for your assistance. 

 

 

Frequent Visitor

The last two Fortinet links are dead.

Microsoft

@arvkris : fixed. I hope they don't change their links again...

Visitor

Can a single Syslog/CEF server be used to stream CEF and syslog data sources?

Microsoft

@Chi_Duong : Yes, but it would require direct edit to the agent and syslog daemon configuration files.

Frequent Visitor

 

*NOTE* We already have a support case with the vendor (Fortinet) but so far all we've got is "we cannot help you now, we have only tested this out on virtual appliances". *NOTE*

 

Is there any way to change the "default query" of a connector?

 

We have a bunch of physical FortiGate appliances, from whcih logshipping in CEF format to Sentinel works fine (We can see the entries in CommonSecurityLog) but they're not logged as "Fortinet" per se;

 

An example log post:

`Oct 24 14:27:07 DEVICE_HOSTNAME CEF: 0|Fortinet|FortiGate-300E|6.0.5,build0268 (GA)|0000000013|forward traffic close|5|start=Oct 24 2019 14:27:07 logver=60 deviceExternalId=FG....`

 

However, the Fortinet connector says "not connected".

clipboard_image_0.png

 

 

Our guess is because Sentinel is looking for something like this (as one of the example queries):

 

clipboard_image_1.png

... where DeviceProduct == “Fortigate” …
We assume the culprit is that it’s looking for “Fortigate”, not a wildcard “Fortigate*”, and the Fortinet physical appliances report their model as Fortigate-$MODEL.

 

So.. can we somehow change the “default query” for the connector to either search for “Fortigate*” or simply remove the “where DeviceProduct == “Fortigate”” clause completely?

 

Thank you in advance.

 

Microsoft

@arvkris : we are aware of this bug and are working to resolve. As you mentioned, it affects only the connector page.