Home
%3CLINGO-SUB%20id%3D%22lingo-sub-822693%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822693%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Azure%20sentinel%20planning%20on%20Normalising%20ingested%20logs%3F%20Other%20players%20in%20this%20space%20are%20normalising%20ingested%20logs%20(see%20Elastic%20Common%20Schema)%20and%20CEF%20being%20a%20legacy%20example.%20Is%20the%20Azure%20Sentinel%20Team%20planning%20on%20defining%20a%20normalised%20data%20model%20for%20ingested%20Azure%20and%20legacy%20logs%20%3F%20This%20would%20make%20querying%20data%20sets%20a%20lot%20simpler.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20logs%20are%20disparately%20sprayed%20across%20different%20log%20Analytics%20workspaces%20tables%20(this%20might%20be%20the%20wrong%20name)%3A%3C%2FP%3E%3CP%3ESignInLogs%20--%20AAD%20logs%3C%2FP%3E%3CP%3EAzureDiagnostics%20-%20SQL%20PaaS%20logs%3C%2FP%3E%3CP%3ESecurityEvent%20-%20Windows%20server%20logs%20-%20Split%20across%20windows%20and%3C%2FP%3E%3CP%3EUnix%20VM%20logs%20-%26nbsp%3B%3CSPAN%3ESyslog%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOtherwise%20if%20MS%20team%20can%20provide%20some%20guidance%20per%20Azure%20service%20and%20where%20the%20logs%20are%20recorded%20and%20how%20you%20can%20link%20or%20query%20across%20these%20unique%20Log%20Analytics%20tables%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011025%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011025%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20last%20two%20Fortinet%20links%20are%20dead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013906%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20fixed.%20I%20hope%20they%20don't%20change%20their%20links%20again...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024543%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024543%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20a%20single%20Syslog%2FCEF%20server%20be%20used%20to%20stream%20CEF%20and%20syslog%20data%20sources%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030459%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*NOTE*%20We%20already%20have%20a%20support%20case%20with%20the%20vendor%20(Fortinet)%20but%20so%20far%20all%20we've%20got%20is%20%22we%20cannot%20help%20you%20now%2C%20we%20have%20only%20tested%20this%20out%20on%20virtual%20appliances%22.%20*NOTE*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20change%20the%20%22default%20query%22%20of%20a%20connector%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20bunch%20of%20physical%20FortiGate%20appliances%2C%20from%20whcih%20logshipping%20in%20CEF%20format%20to%20Sentinel%20works%20fine%20(We%20can%20see%20the%20entries%20in%20CommonSecurityLog)%20but%20they're%20not%20logged%20as%20%22Fortinet%22%20per%20se%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20example%20log%20post%3A%3C%2FP%3E%3CP%3E%60Oct%2024%2014%3A27%3A07%20DEVICE_HOSTNAME%20CEF%3A%200%7CFortinet%7CFortiGate-300E%7C6.0.5%2Cbuild0268%20(GA)%7C0000000013%7Cforward%20traffic%20close%7C5%7Cstart%3DOct%2024%202019%2014%3A27%3A07%20logver%3D60%20deviceExternalId%3DFG....%60%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20Fortinet%20connector%20says%20%22not%20connected%22.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158766i18DB7548D496C598%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20guess%20is%20because%20Sentinel%20is%20looking%20for%20something%20like%20this%20(as%20one%20of%20the%20example%20queries)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158767i8E5F53B192FB21F6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E...%20where%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%20%E2%80%A6%3CBR%20%2F%3EWe%20assume%20the%20culprit%20is%20that%20it%E2%80%99s%20looking%20for%20%E2%80%9CFortigate%E2%80%9D%2C%20not%20a%20wildcard%20%E2%80%9CFortigate*%E2%80%9D%2C%20and%20the%20Fortinet%20physical%20appliances%20report%20their%20model%20as%20Fortigate-%3CSTRONG%3E%24MODEL%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo..%20can%20we%20somehow%20change%20the%20%E2%80%9Cdefault%20query%E2%80%9D%20for%20the%20connector%20to%20either%20search%20for%20%E2%80%9CFortigate*%E2%80%9D%20or%20simply%20remove%20the%20%E2%80%9Cwhere%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%E2%80%9D%20clause%20completely%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030468%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20we%20are%20aware%20of%20this%20bug%20and%20are%20working%20to%20resolve.%20As%20you%20mentioned%2C%20it%20affects%20only%20the%20connector%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078381%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20Fortigate%2C%20we%20can%20see%20on%20TCPDump%20that%20logs%20are%20received%20by%20syslog%20deamon%20and%20forwarded%20to%20sentinet%20agent%20on%20port%2025226.%3C%2FP%3E%3CP%3EOn%20log%20analytics%20we%20see%20that%20logs%20are%20arriving%2C%20with%20the%20correct%20format%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E0%7CFortinet%7CFortigate%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C3%7C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20the%20connector%20of%20Fortinet%20isn't%20showing%20any%20received%20log.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20facing%20the%20same%20issue%20as%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%2C%20and%20we%20think%20this%20is%20a%20parsing%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20is%20this%20bug%20that%20you%20mention%20corrected%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078551%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078551%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSPAN%3EI%20think%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E's%20challenge%20was%20somewhat%20different%3C%2FSPAN%3E%3C%2FP%3E%20%3CUL%3E%20%3CLI%3E%3CSPAN%3EIn%20his%20case%2C%20the%20second%20%22Fortigate%22%20(bolded%20in%20your%20example)%20was%20different%20and%20we%20missed%20on%20identifying%20it%20as%20Fortigate.%3C%2FSPAN%3E%3C%2FLI%3E%20%3CLI%3EIn%20your%20case%2C%20if%20I%20understand%20correctly%2C%20you%20get%20the%20information%20as%20CEF%20rather%20than%20parsed%20in%20the%20workspace.%26nbsp%3B%3C%2FLI%3E%20%3C%2FUL%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3ETo%20that%20end%2C%20you%20see%20the%20value%20%22%3CSPAN%3E0%7CFortinet%7C%3CSTRONG%3EFortigate%3C%2FSTRONG%3E%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C3%7C%22%20in%20which%20field%20in%20which%20table%3F%3C%2FSPAN%3E%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSPAN%3E~%20Ofer%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078600%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078600%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20Infoblox%20DNS%20Query%2FResponse%20logs%20been%20tested%20with%20Azure%20Sentinel%20%3F%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20test%20it%2C%20so%20far%20i%20found%20the%20following%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Infoblox%20DNS%20seems%20to%20generate%20only%20Threat%20Logs%20in%20CEF.%20The%20other%20logging%20categories%2C%20such%20as%20DNS%20Queries%2FResponses%2C%20are%20logged%20in%20some%20non-CEF%20format%20over%20syslog%2C%20like%20the%20following%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E%23%26lt%3B166%26gt%3BDec%2023%2012%3A54%3A05%20infoblox1.localdomain%20named%5B12821%5D%3A%20client%20%400x7fbc3c0cc6e0%20192.168.80.1%2357296%20(server1.fwd1)%3A%20query%3A%20server1.fwd1%20IN%20A%20%2B%20(192.168.80.200)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20not%20even%20seeing%20these%20logs%20in%20the%20Sentinel%20Workspace.%20The%20logs%20arrive%20at%20the%20Syslog%20Agent%20and%20get%20forwarded%20to%20omsagent%20process%20over%20port%2025226%2C%20but%20beyond%20that%20i%20don't%20see%20them%20anywhere%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20advise%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Should%20we%20create%20a%20custom%20parser%20for%20Infoblox%20query%2Fresponse%20logs%20or%20Microsoft%20has%20already%20addressed%20them%26nbsp%3B%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20How%20to%20troubleshoot%20logs%20processing%20and%20ingestion%20after%20the%20logs%20are%20delivered%20from%20the%20syslog%20daemon%20to%20the%20omsagent%20daemon%3F%20Any%20troublehsoot%20files%20or%20tables%20to%20look%20into%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20By%20having%20a%20vendor%20connector%20listed%20in%20Azure%20Sentinel%20connector%20list%2C%20such%20as%20ASA%2C%20Fortigate%2C%20..%2C%20does%20this%20mean%20having%20%22parser%22%20in%20the%20background%20%3F%20the%20thing%20is%20all%20such%20vendor%20connectors%20do%20query%20the%20CommonSecurityLog%20with%20filter%20of%20%22device%20vendor%22%20%2C%20so%20i%20don't%20fully%20understand%20the%20technical%20meaning%20of%20%22having%20an%20xx%20vendor%20connector%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1079844%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1079844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3B%3A%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFirst%20to%20your%20specific%20challenge%3A%20since%20the%20events%20are%20Syslog%2C%20they%20require%20setting%20up%20the%20Syslog%20connector%20rather%20than%2C%20or%20in%20addition%20to%2C%20the%20CEF%20connector.%20As%20things%20are%20now%2C%20the%20Syslog%20messages%20are%20rejected.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3ETo%20have%20a%20single%20connector%20VM%20support%20both%20CEF%20and%20Syslog%3A%3C%2FP%3E%20%3COL%3E%20%3CLI%3EInstall%20the%20CEF%20connector%20VM%20using%20the%20instructions%20in%20the%20connector%20page%20(the%20new%20procedure%20in%20case%20yours%20was%20setup%20before%20October).%3C%2FLI%3E%20%3CLI%3EConfigure%20the%20facilities%20%26amp%3B%20priorities%20that%20you%20want%20to%20get%20Syslog%20messages%20of%20using%20Settings%20-%26gt%3B%20Workspace%20Settings%20-%26gt%3B%20Advanced%20Settings%20-%26gt%3B%20Data%20-%26gt%3B%20Syslog%3C%2FLI%3E%20%3CLI%3EMake%20sure%20that%20the%20facility%2Fpriority%20combination%20used%20by%20your%20CEF%20source%20is%20not%20configured%20for%20Syslog%20collection%3C%2FLI%3E%20%3C%2FOL%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThat%E2%80%99s%20it.%20If%20%233%20is%20not%20doable%2C%20we%20will%20have%20to%20revert%20to%20config%20file%20editing%20on%20the%20VM.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EAs%20to%20your%20question%3A%3C%2FP%3E%20%3CUL%3E%20%3CLI%3EYou%20will%20need%20custom%20parsers%20as%20described%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Creating-Custom-Connectors%2Fba-p%2F864060%22%20target%3D%22_self%22%3Ecustom%20connector%20blog%20post%3C%2FA%3E.%3C%2FLI%3E%20%3CLI%3EA%20troubleshooting%20script%20is%20available%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF.%3C%2FA%3E%26nbsp%3BFor%20Syslog%20I%20suggest%20working%20with%20support.%3C%2FLI%3E%20%3CLI%3EHaving%20a%20connector%20listed%20in%20the%20connector%20page%20implies%20parsing%2C%20however%20most%20of%20them%20are%20CEF%2C%20which%20means%20parsed%20as%20sent.%20This%20does%20not%20hold%20true%20for%20the%20list%20here.%3C%2FLI%3E%20%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080591%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080591%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%20our%20Fortigate%20send%20syslog%20message%20in%20CEF%20Format%2C%20we%20have%20installed%20Azure%20Onboard%20Agent%20and%20CEF%20Connector%20on%20Linux%20Machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Log%20Analytics%2C%20we%20can%20see%20that%20the%20Fortigate%20logs%20are%20arraiving.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESyslog%20Message%3A%26nbsp%3B0%7CFortinet%7CFortigate%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C%3C%2FP%3E%3CP%3EFacility%3A%20local4%3C%2FP%3E%3CP%3EProcess%20Name%3A%20CEF%3C%2FP%3E%3CP%3EType%3A%20syslog%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20go%20to%20Data%20Connectors%20(Fortinet)%20we%20din't%20see%20anything%20last%20receiving%20log%2C%20on%20CEF%20Connector%20either%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETHis%20is%20the%20only%20device%20that%20we%20send%20syslog%20with%20CEF%20Format.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080638%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%26nbsp%3B%3A%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EI%20assume%20you%20also%20enabled%2C%20or%20at%20least%20modified%20the%20Syslog%20facilities%20as%20described%20in%20my%20response%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3Babove.%20If%20the%20facilities%20include%20local4%2C%20you%20will%20receive%20the%20CEF%20message%20*also*%20in%20the%20Syslog%20table.%20To%20avoid%20this%20you%20need%20to%20make%20sure%20that%20CEF%20events%20use%20a%20facility%20which%20is%20not%20configured%20for%20Syslog.%20for%20Fortinet%20use%3A%3C%2FP%3E%20%3CPRE%3E%3CSTRONG%3Econfig%20log%20settings%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%20%20%20%20set%20facility%20%3CFACILITY_NAME%3E%3CBR%20%2F%3Eend%3C%2FFACILITY_NAME%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThis%20still%20leaves%20the%20question%20of%20why%20you%20did%20not%20get%20a%20CEF%20copy.%20Did%20you%20go%20through%20the%20steps%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%3C%2FA%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030375%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454716%22%20target%3D%22_blank%22%3E%40Chi_Duong%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20but%20it%20would%20require%20direct%20edit%20to%20the%20agent%20and%20syslog%20daemon%20configuration%20files.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSTRONG%3EUpdate%20(Dec%2026th%202019)%3A%3C%2FSTRONG%3E%20You%20no%20longer%20need%20to%20directly%20edit%20the%20configuration%20files%3A%3C%2FP%3E%20%3COL%3E%20%3CLI%3EInstall%20the%20CEF%20connector%20VM%20using%20the%20instructions%20in%20the%20connector%20page.%3C%2FLI%3E%20%3CLI%3EConfigure%20the%20facilities%20%26amp%3B%20priorities%20that%20you%20want%20to%20get%20Syslog%20messages%20of%20using%20Settings%20-%26gt%3B%20Workspace%20Settings%20-%26gt%3B%20Advanced%20Settings%20-%26gt%3B%20Data%20-%26gt%3B%20Syslog%3C%2FLI%3E%20%3CLI%3EMake%20sure%20that%20the%20facility%2Fpriority%20combination%20used%20by%20your%20CEF%20source%20is%20not%20configured%20for%20Syslog%20collection%3C%2FLI%3E%20%3C%2FOL%3E%20%3CP%3EThat%E2%80%99s%20it.%20If%20%233%20is%20not%20doable%2C%20we%20will%20have%20to%20revert%20to%20config%20file%20editing%20on%20the%20VM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081076%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081076%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20we%20did%20that%20seps%20on%20CEF%20connector%2C%20this%20is%20why%20we%20comment%20post%2C%20because%20we%20can't%20put%20the%20CEF%20working%2C%20its%20frustanting%2C%20because%20we%20OMS%20Agent%20says%20that%20collects%20logs%20on%2025256.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20events%20are%20observed%20by%20the%20CEF%20Troubleshooter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurity-config-omsagent.conf%20contains%20rsyslog.d%20routing%20configuration%3CBR%20%2F%3Ersyslog%20daemon%20configuration%20was%20found%20valid.%3CBR%20%2F%3ETrying%20to%20restart%20syslog%20daemon%3CBR%20%2F%3ERestarting%20rsyslog%20daemon%20-%20'sudo%20service%20rsyslog%20restart'%3CBR%20%2F%3ERedirecting%20to%20%2Fbin%2Fsystemctl%20restart%20rsyslog.service%3CBR%20%2F%3Ersyslog%20daemon%20restarted.%3CBR%20%2F%3EThis%20will%20take%20a%20few%20seconds.%3CBR%20%2F%3EOmsagent%20restarted.%3CBR%20%2F%3EThis%20will%20take%20a%20few%20seconds.%3CBR%20%2F%3EIncoming%20port%20grep%3A%200.0.0.0%3A514%3CBR%20%2F%3Etcp%200%200%200.0.0.0%3A514%200.0.0.0%3A*%20LISTEN%3CBR%20%2F%3Eudp%200%200%200.0.0.0%3A514%200.0.0.0%3A*%3C%2FP%3E%3CP%3EDaemon%20incoming%20port%20514%20is%20open%3CBR%20%2F%3EIncoming%20port%20grep%3A%2025226%3CBR%20%2F%3Etcp%200%200%20127.0.0.1%3A25226%200.0.0.0%3A*%20LISTEN%3C%2FP%3E%3CP%3EOmsagent%20is%20listening%20to%20incoming%20port%2025226%3CBR%20%2F%3EValidating%20CEF%5CASA%20into%20rsyslog%20daemon%20-%20port%20514%3CBR%20%2F%3EThis%20will%20take%2060%20seconds.%3CBR%20%2F%3Esudo%20tcpdump%20-A%20-ni%20any%20port%20514%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%20262144%20bytes%3CBR%20%2F%3E15%3A30%3A50.745647%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2055478%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%201335)%3CBR%20%2F%3E10.35.72.145.13129%20%26gt%3B%2010.35.72.147.shell%3A%20Flags%20%5BP.%5D%2C%20cksum%200x7dcb%20(correct)%2C%20seq%2024964634%3A24965917%2C%20ack%2015089686%2C%20win%20229%2C%20options%20%5Bnop%2Cnop%2CTS%20val%201370415842%20ecr%20324117405%5D%2C%20length%201283%3CBR%20%2F%3EE..7..%40.%40...%3CBR%20%2F%3E%23H.%3CBR%20%2F%3E%23H.3I...%7C....%40.....%7D......%3CBR%20%2F%3EReceived%20CEF%5CASA%20message%20in%20daemon%20incoming%20port.%5B514%5D%3CBR%20%2F%3ENotice%3A%20To%20tcp%20dump%20manually%20execute%20the%20following%20command%20-%20'tcpdump%20-A%20-ni%20any%20port%20514%20-vv'%3CBR%20%2F%3EFetching%20CEF%20messages%20from%20daemon%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20we%20need%20to%20add%20to%20the%20DataConnectos%20-%26gt%3B%20syslog%20-%26gt%3B%20add%20syslog%20facility%2C%20or%20otherwise%20the%20log%20don't%20appear%20the%20message%20on%20logAnalytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Fortinet%20we%20can%20only%20specified%20facility%20as%20syslog%2C%20alert%2C%20auth%2C%20kernel%20and%20Local0%2C%20etc...%20we%20have%20specified%20the%20facility%20Syslog%20facility.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20parsing%20issue%2C%20because%20the%20message%20is%20send%20is%20syslog%2C%20and%20sentinel%20read%20the%20CEF%2C%20and%20map%20as%20Process%20Name%3A%20CEF.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20on%20data%20connectors%20we%20din't%20see%20any%20green%20connector%20to%20CEF%20or%20Fortinet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081082%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081082%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20mistake%20i%20din't%20attach%20the%20tcpdump%20of%20OMS%20Agent%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eudo%20tcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%20262144%20bytes%3CBR%20%2F%3E15%3A30%3A58.743394%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2061856%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20UDP%20(17)%2C%20length%20904)%3CBR%20%2F%3E127.0.0.1.35443%20%26gt%3B%20127.0.0.1.25226%3A%20%5Bbad%20udp%20cksum%200x0188%20-%26gt%3B%200x84d8!%5D%20UDP%2C%20length%20876%3CBR%20%2F%3EReceived%20CEF%20message%20in%20agent%20incoming%20port.%5B25226%5D%3CBR%20%2F%3ENotice%3A%20To%20tcp%20dump%20manually%20execute%20the%20following%20command%20-%20'tcpdump%20-A%20-ni%20any%20port%2025226%20-vv'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20logs%20analytics%20we%20can%20only%20see%20message%20when%20we%20put%20data%20connector%20facility%20as%20syslog%2C%20other%20wise%20we%20din't%20see%20nothing%20as%20Syslog%20message%20os%20CEF%20Message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20TCP%20Dump%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E127.0.0.1.35443%20%26gt%3B%20127.0.0.1.25226%3A%20%5Bbad%20udp%20cksum%200x0138%20-%26gt%3B%200xbaba!%5D%20UDP%2C%20length%20796%3CBR%20%2F%3EE..8v.%40.%40..0.........sb..%24.8%26lt%3B190%26gt%3BDec%2026%2016%3A04%3A23%20xxxx-xxx%20CEF%3A%200%7CFortinet%7CFortigate%7Cv6.2.0%7C28704%7Cutm%3Aapp-ctrl%20app-ctrl-all%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20logs%20analytics%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProcessName%3A%20CEF%3C%2FP%3E%3CP%3ESyslogMessage%3A%200%7CFortinet%7CFortigate%7Cv6.2.0%7C0001%3C%2FP%3E%3CP%3EFacility%3A%20Syslog%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWitch%20facility%20did%20MS%20recommend%20for%20this%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1084366%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1084366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%26nbsp%3B%3A%20I%20think%20that%20a%20support%20ticket%20might%20be%20a%20better%20option%20to%20resolve%20this.%20One%20thing%20I%20did%20notice%20in%20the%20data%20you%20sent%20is%20that%20it%20seems%20that%20rsyslog%20forwards%20on%20UDP%2025226%20while%20the%20default%20(new)%20configuration%20for%20the%20OMS%20agent%20is%20to%20listen%20to%20TCP%2025226.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104560%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104560%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106764%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106764%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3B%3A%20your%20comment%20came%20out%20empty.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803891%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803891%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20network%20and%20security%20systems%20support%20either%20Syslog%20or%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.microfocus.com%2Ft5%2FArcSight-Connectors%2FArcSight-Common-Event-Format-CEF-Implementation-Standard%2Fta-p%2F1645557%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%3C%2FA%3E%20(which%20stands%20for%20Common%20Event%20Format)%20over%20Syslog%20as%20means%20for%20sending%20data%20to%20a%20SIEM.%20This%20makes%20Syslog%20or%20CEF%20the%20most%20straight%20forward%20ways%20to%20stream%20security%20and%20networking%20events%20to%20Azure%20Sentinel.%20Want%20to%20learn%20more%20about%20best%20practices%20for%20CEF%20collection%3F%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-Practices-for-Common-Event-Format-CEF-collection-in-Azure%2Fba-p%2F969990%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20advantage%20of%20CEF%20over%20Syslog%20is%20that%20it%20ensures%20the%20data%20is%20normalized%20making%20it%20more%20immediately%20useful%20for%20analysis%20using%20Sentinel.%20However%2C%20unlike%20many%20other%20SIEM%20products%2C%20Sentinel%20allows%20ingesting%20unparsed%20Syslog%20events%20and%20performing%20analytics%20on%20them%20using%20query%20time%20parsing.%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20number%20of%20systems%20supporting%20Syslog%20or%20CEF%20is%20in%20the%20hundreds%2C%20making%20the%20table%20below%20by%20no%20means%20comprehensive.%20We%20will%20update%20this%20list%20continuously.%20The%20table%20provides%20links%20to%20the%20source%20device's%20vendor%20documentation%20for%20configuring%20the%20device%20to%20send%20events%20in%20Syslog%20or%20CEF.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CPRE%3ETip%3A%20Want%20to%20ingest%20test%20CEF%20data%3F%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Sample-CEF-data-into-Azure-Sentinel%2Fba-p%2F1064158%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E%20is%20how%20to%20do%20that.%3C%2FPRE%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFor%20completeness%2C%20we%20have%20included%20also%20sources%20that%20log%20to%20Sentinel%20directly%20using%20the%20native%20Sentinel%20API%20as%20well%20as%20those%20that%20can%20log%20to%20Windows%20Event%20Log%2C%20and%20be%20read%20by%20Sentinel's%20Windows%20collection%20methods.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CTABLE%20style%3D%22height%3A%202760px%3B%22%20title%3D%22Table%22%20width%3D%22755%22%3E%20%3CTBODY%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVendor%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EProduct%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EConnector%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CSTRONG%3EInformation%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EAkamai%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.akamai.com%2Ftools%2Fintegrations%2Fsiem%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EApache%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3Ehttpd%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.loggly.com%2Fultimate-guide%2Fcentralizing-apache-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20rsyslog%20or%20logger%20as%20a%20file%20forwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAruba%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EClearPass%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.arubanetworks.com%2Ftechdocs%2FClearPass%2F6.8%2FPolicyManager%2Findex.htm%23CPPM_UserGuide%2FAdmin%2FsyslogExportFilters_add_syslog_filter_general.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAWS%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECloudWatch%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECustom%26nbsp%3B%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EUsing%20Logstash.%20See%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FHunting-for-Capital-One-Breach-TTPs-in-AWS-logs-using-Azure%2Fba-p%2F1019767%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDefense%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2Freference%2Fcb-defense%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EResponse%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2F2016%2F06%2Fcb-event-forwarder-3.2.0-released%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECheckpoint%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-checkpoint%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built%20in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20193px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20156.667px%3B%22%3EASA%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%2088.6667px%3B%22%3ECisco%20(CEF)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESentinel%20built-in%20CEF%20connector%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Cisco%20ASA%20support%20uses%20Sentinel's%20CEF%20pipeline.%20However%2C%20Cisco's%20logging%20is%20not%20in%20CEF%20format.%3C%2FP%3E%20%3CP%3E-%20Make%20sure%20you%20disable%20logging%20timestamp%20using%20%22no%20logging%20timestamp%22.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa82%2Fcommand%2Freference%2Fcmd_ref%2Fl2.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Ehere%3C%2FA%3E%26nbsp%3Bfor%20more%20details.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Security%20Gateway%20(CWS)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EWeb%20Security%20Appliances%20(WSA)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EMeraki%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Server_Overview_and_Configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Event_Types_and_Log_Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Types%20and%20Log%20Samples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EFirepower%20Threat%20Defense%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Ffirepower%2F601%2Fconfiguration%2Fguide%2Ffpmc-config-guide-v601%2FConfiguring_External_Alerting.html%3FbookSearch%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EFireSight%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity%2Ffiresight-management-center%2F118464-configure-firesight-00.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EIronPort%20Web%20Security%20Appliance%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.splunk.com%2FSet_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3ENexus%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fswitches%2Fdatacenter%2Fnexus5000%2Fsw%2Fconfiguration%2Fguide%2Fcli_rel_4_1%2FCisco_Nexus_5000_Series_Switch_CLI_Software_Configuration_Guide_chapter26.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EUmbrella%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ECustom%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fcurious-case-saas-3rd-party-azure-sentinel-nathan-swift%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20blog%20post%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECirtix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper-docs.citrix.com%2Fprojects%2Fnetscaler-syslog-message-reference%2Fen%2F12.0%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECitrix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%20App%20FW%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX136146%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECrowdStrike%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EFalcon%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3EUse%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.crowdstrike.com%2Fresources%2Fdata-sheets%2Ffalcon-connector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESIEM%20connector%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einstalled%20on%20premises%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECyberArk%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%3CSPAN%3EPrivileged%20Access%20Security%3C%2FSPAN%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FOutbound-Sending-%2520PTA-syslog-Records-to-SIEM.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FCEF-Based-Format-Definition.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20a%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCannot-get-CommonSecurityLog-Events-to-show-in-Sentinel-quot%2Fm-p%2F508132%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Echange%20is%20required%20in%20the%20MMA%20configuration%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EDarktrace%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EImmune%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.darktrace.com%2Fen%2Fpress%2F2016%2F73%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eannouncement%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWAF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-f5%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EBigIP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESyslog%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.f5.com%2Fcsp%2Farticle%2FK13080%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%2C%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechdocs.f5.com%2Fkb%2Fen-us%2Fproducts%2Fbig-ip_ltm%2Fmanuals%2Fproduct%2Ftmos-implementations-11-5-1%2F23.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETLS%20instructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EDirect%3A%20%3CA%20href%3D%22https%3A%2F%2Fdevcentral.f5.com%2Fs%2Farticles%2FIntegrating-the-F5-BIGIP-with-Azure-Sentinel%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fclouddocs.f5.com%2Fproducts%2Fextensions%2Ff5-telemetry-streaming%2Flatest%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosofteur.sharepoint.com%2F%3Av%3A%2Ft%2FAzureSentinelProductInfo%2FEYoEiJ0yaXFCqkySHspyz6YByAYIkehOSSvbBQn6UoxiJQ%3Fe%3De5pkhR%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20video%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFireEye%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3ENX%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWe%20could%20not%20find%20the%20vendors%20documentation.%20See%203rd%20party%20instructions%20%3CA%20href%3D%22https%3A%2F%2Finsightidr.help.rapid7.com%2Fdocs%2Ffireeye-nx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EForcepoint%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EWeb%20Security%20(WebSense)%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv78%2Ftriton_web_help%2Fsettings_siem_explain.aspx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv76%2Fsiem%2Fsiem.pdf%23page%3D22%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDetailed%20reference%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fortinet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F998820%2Ffortios-to-cef-log-field-mapping-guidelines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20message%20reference%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F127777%2Fexamples-of-cef-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%20mapping%20and%20examples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESIEM%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.fortinet.com%2Ffa%2Ffaz50hlp%2F56%2F5-6-1%2FFMG-FAZ%2F2400_System_Settings%2F1600_Log%2520Forwarding%2F0400_Configuring.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EHP%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPrinters%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc04531741%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EIBM%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EzSecure%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSS2RWS_2.3.0%2Fcom.ibm.zsecure.doc_2.3.0%2Fabout_this_release%2Fabout_rel_whats_new.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%20for%20zSecure%20V2.3.0%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20it%20supports%20alerts%20only.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EImperva%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ESecureSphere%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.imperva.com%2Fdocs%2FSB_Imperva_SecureSphere_CEF_guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%3CSTRONG%3EInfoblox%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EOn-premises%20appliance%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2FNAG8%2FUsing%2Ba%2BSyslog%2BServer%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EKaspersky%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ESecurity%20Center%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.kaspersky.com%2FKSC%2FEventExport%2Fen-US%2F140022.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EePO%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.mcafee.com%2Fbundle%2Fepolicy-orchestrator-5.9.1-product-guide%2Fpage%2FGUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB87927%26amp%3Bactp%3Dnull%26amp%3Bviewlocale%3Den_US%26amp%3BshowDraft%3Dfalse%26amp%3Bplatinum_status%3Dfalse%26amp%3Blocale%3Den_US%26amp%3Bbk%3Dn%26amp%3B_ga%3D2.110407365.1184558696.1552347886-1519183354.1550404246%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB%20Article%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%3A%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration)%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWeb%20Gateway%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.mcafee.com%2Ft5%2FDocuments%2FWeb-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other%2Fta-p%2F554145%23toc-hId-440677315%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMicrosoft%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3ESQL%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWindows%20Event%20Log%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CSTRONG%3ENetApp%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3EONTAP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.netapp.com%2Fontap-9%2Findex.jsp%3Ftopic%3D%252Fcom.netapp.doc.dot-cm-sag%252FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20those%20are%20management%20activity%20audit%20logs%20and%20not%20file%20usage%20activity%20logs.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EOracle%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EDB%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.oracle.com%2Fcd%2FB28359_01%2Fnetwork.111%2Fb28531%2Fauditing.htm%23DBSEG66112%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EPanOS%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPanorama%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fpanorama%2F9-0%2Fpanorama-admin%2Fmanage-log-collection%2Fconfigure-log-forwarding-from-panorama-to-external-destinations.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20166px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ETraps%20through%20Cortex%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Ftraps%2Ftms%2Ftraps-management-service-admin%2Fview-and-manage-logs%2Fforward-traps-logs-to-a-syslog-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Require%20rsyslog%20configuration%20to%20support%20RFC5424%3C%2FP%3E%20%3CP%3E-%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration%3C%2FA%3E)%3C%2FP%3E%20%3CP%3E-%20The%20certificate%20has%20to%20be%20signed%20by%20a%20public%20CA%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%3CSTRONG%3EPostgress%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3EDB%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3ESyslog%2C%20Windows%20Event%20log%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.postgresql.org%2Fdocs%2F9.1%2Fruntime-config-logging.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ESAP%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3EHaha%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fknowledge%2Fpreview%2Fen%2F2624117%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%20(requires%20a%20SAP%20account)%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESonicWall%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fhelp.sonicwall.com%2Fhelp%2Fsw%2Feng%2F7020%2F26%2F2%2F3%2Fcontent%2FLog_Syslog.120.2.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EMake%20sure%20you%3A%3CBR%20%2F%3E-%20Select%20local%20use%204%20as%20the%20facility.%3C%2FP%3E%20%3CP%3E-%20Select%20ArcSight%20as%20the%20Syslog%20format.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESquid%20Proxy%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3EConfigure%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.squid-cache.org%2FDoc%2Fconfig%2Faccess_log%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Eaccess%20logs%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20either%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.squid-cache.org%2FFeatures%2FLogModules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ETCP%20of%20UDP%20modules%3C%2FA%3E.%20Sentinel's%20built-in%20queries%20use%20the%20default%20log%20format.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymatec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3EDLP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.tech218905.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions.%3C%2FA%3E%20Note%20that%20only%20UDP%20is%20supported%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fconnect%2Fforums%2Fsample-syslog-format-symantec-dlp%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E.%20Uses%20response%20automation.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWSG%20(Bluecoat)%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fdocs%2FTECH242216%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20only%26nbsp%3BTCP%20is%20supported%20which%20requires%20rsyslog%20configuration%20to%20use%20TCP.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EEndpoint%20Protection%20Manager%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO81169.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Workload%20Protection%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3EAPI%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.howto130011.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fesupport.trendmicro.com%2Fmedia%2F13970354%2FTMCM_SIEM_Integration.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20Control%20Manager%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fdocs.trendmicro.com%2Fen-us%2Fenterprise%2Fcontrol-manager-70%2Ftools-and-additional%2Fusing-logforwarder%2Fconfiguring-logforwa.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20LogForwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EDeep%20Security%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.deepsecurity.trendmicro.com%2F10%2F0%2Fsiem-syslog-forwarding-secure.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.deepsecurity.trendmicro.com%2F10%2F0%2Fsiem-syslog-forwarding.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%20for%20Azure%20VM%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVaronis%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDatAlert%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Finfo.varonis.com%2Fhubfs%2Fdocs%2Fsplunk-app%2FVaronis-App-for-Splunk-User-Guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3EWatchgaurd%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.watchguard.com%2Fhelp%2Fdocs%2Fhelp-center%2Fen-US%2FContent%2Fen-US%2FWi-Fi-Cloud%2Fmanage_wirelessmanager%2Fconfiguration%2Fsystem%2Farcsight_integration.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EzScaler%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3ESee%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fdocumentation-knowledgebase%2Fanalytics%2Fnss%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EzScaler%20NSS%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zscaler.com%2Fresources%2Fsolution-briefs%2Fpartner-hp-arcsight.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EArcSight%20integration%20guide%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3C%2FTBODY%3E%20%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-803891%22%20slang%3D%22en-US%22%3E%3CP%3EWant%20to%20connect%20a%20source%20system%20to%20Sentinel%20to%20send%20events%3F%20The%20chances%20are%20that%20it%20supported%20streaming%20events%20using%20Syslog%20or%20CEF%2C%20or%20connects%20directly.%20This%20article%20provides%20pointers%20for%20configuring%20different%20security%20and%20networking%20systems%20to%20send%20events%20using%20Syslog%2C%20CEF%20or%20directly.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-803891%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel. Want to learn more about best practices for CEF collection? see here.

 

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.

 

Tip: Want to ingest test CEF data? here is how to do that.

 

For completeness, we have included also sources that log to Sentinel directly using the native Sentinel API as well as those that can log to Windows Event Log, and be read by Sentinel's Windows collection methods.

 

Vendor

Product

Connector

Information

Akamai   CEF Instructions

Apache

httpd

Syslog

Using rsyslog or logger as a file forwarder

Aruba

ClearPass

CEF

Instructions

AWS

CloudWatch

Custom 

Using Logstash. See here.

Carbon Black

Defense

Syslog

Instructions

Carbon Black

Response

Syslog

Instructions

Checkpoint   CEF

Sentinel Built in CEF connector

Cisco ASA Cisco (CEF)

Sentinel built-in CEF connector

Notes:

- Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format.

- Make sure you disable logging timestamp using "no logging timestamp". See here for more details.

Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco

Meraki

Syslog

Instructions

Event Types and Log Samples

Cisco Firepower Threat Defense Syslog

Instructions

Cisco FireSight Syslog

Instructions

Cisco IronPort Web Security Appliance Syslog

Instructions

Cisco Nexus Syslog

Instructions

Cisco Umbrella Custom

See this blog post

Cirtix NetScaler  Syslog

Instructions

Message format

Citrix NetScaler App FW CEF Instructions

CrowdStrike

Falcon

CEF

Use a SIEM connector installed on premises

CyberArk

Privileged Access Security

CEF

Instructions

Message format

Note that a  change is required in the MMA configuration

Darktrace

Immune

CEF

See announcement.

F5

WAF

CEF

Sentinel Built-in connector

F5

BigIP

Syslog

Syslog: Instructions, TLS instructions

Direct: bloginstructionsHow to video

FireEye

NX CEF

We could not find the vendors documentation. See 3rd party instructions here.

Forcepoint

Web Security (WebSense) CEF

Instructions

Detailed reference

Fortinet

  CEF

Sentinel Built-in CEF connector

Log message reference

CEF mapping and examples

Fortinet

SIEM

CEF

Instructions

HP

Printers

Syslog

Instructions

IBM

zSecure

CEF

See What's new for zSecure V2.3.0

Note that it supports alerts only.

Imperva

SecureSphere

CEF

Instructions

Infoblox On-premises
appliance
Syslog Instructions
Kaspersky Security Center  Syslog Instructions

McAfee

ePO

Syslog

InstructionsKB Article

Note: TLS only (requires rsyslog TLS configuration)

McAfee

Web Gateway

CEF

Instructions

Microsoft

SQL

Windows Event Log

Instructions

NetApp

ONTAP

Syslog

Instructions

Note that those are management activity audit logs and not file usage activity logs.

Oracle

DB

Syslog

Instructions

Palo Alto

PanOS

CEF

Sentinel Built-in CEF connector

Palo Alto

Panorama

CEF

Instructions

Palo Alto

Traps through Cortex

Syslog

Instructions

Notes:

- Require rsyslog configuration to support RFC5424

- TLS only (requires rsyslog TLS configuration)

- The certificate has to be signed by a public CA

Postgress DB Syslog, Windows Event log

Instructions

SAP Haha Syslog

Instructions (requires a SAP account)

SonicWall   CEF

Instructions

Make sure you:
- Select local use 4 as the facility.

- Select ArcSight as the Syslog format.

Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel's built-in queries use the default log format.

Symantec

DLP

Syslog

CEF

Instructions. Note that only UDP is supported

Instructions. Uses response automation.

Symantec

WSG (Bluecoat)

Syslog

Instructions

Note that only TCP is supported which requires rsyslog configuration to use TCP.

Symantec   Endpoint Protection Manager Syslog Instructions  
Symantec Cloud Workload Protection API Instructions
Trend Micro  

CEF

Using Control Manager

Using LogForwarder

Trend Micro Deep Security

CEF

Instructions

Instructions for Azure VM

Varonis

DatAlert

CEF

Instructions

Watchgaurd   CEF Instructions
zScaler   CEF See zScaler NSS and the ArcSight integration guide.
18 Comments
New Contributor

Is Azure sentinel planning on Normalising ingested logs? Other players in this space are normalising ingested logs (see Elastic Common Schema) and CEF being a legacy example. Is the Azure Sentinel Team planning on defining a normalised data model for ingested Azure and legacy logs ? This would make querying data sets a lot simpler.

 

At the moment logs are disparately sprayed across different log Analytics workspaces tables (this might be the wrong name):

SignInLogs -- AAD logs

AzureDiagnostics - SQL PaaS logs

SecurityEvent - Windows server logs - Split across windows and

Unix VM logs - Syslog

 

Otherwise if MS team can provide some guidance per Azure service and where the logs are recorded and how you can link or query across these unique Log Analytics tables?

 

Thanks in advance for your assistance. 

 

 

Frequent Visitor

The last two Fortinet links are dead.

Microsoft

@arvkris : fixed. I hope they don't change their links again...

New Contributor

Can a single Syslog/CEF server be used to stream CEF and syslog data sources?

Microsoft

@Chi_Duong : Yes, but it would require direct edit to the agent and syslog daemon configuration files.

 

Update (Dec 26th 2019): You no longer need to directly edit the configuration files:

  1. Install the CEF connector VM using the instructions in the connector page.
  2. Configure the facilities & priorities that you want to get Syslog messages of using Settings -> Workspace Settings -> Advanced Settings -> Data -> Syslog
  3. Make sure that the facility/priority combination used by your CEF source is not configured for Syslog collection

That’s it. If #3 is not doable, we will have to revert to config file editing on the VM.

Frequent Visitor

 

*NOTE* We already have a support case with the vendor (Fortinet) but so far all we've got is "we cannot help you now, we have only tested this out on virtual appliances". *NOTE*

 

Is there any way to change the "default query" of a connector?

 

We have a bunch of physical FortiGate appliances, from whcih logshipping in CEF format to Sentinel works fine (We can see the entries in CommonSecurityLog) but they're not logged as "Fortinet" per se;

 

An example log post:

`Oct 24 14:27:07 DEVICE_HOSTNAME CEF: 0|Fortinet|FortiGate-300E|6.0.5,build0268 (GA)|0000000013|forward traffic close|5|start=Oct 24 2019 14:27:07 logver=60 deviceExternalId=FG....`

 

However, the Fortinet connector says "not connected".

clipboard_image_0.png

 

 

Our guess is because Sentinel is looking for something like this (as one of the example queries):

 

clipboard_image_1.png

... where DeviceProduct == “Fortigate” …
We assume the culprit is that it’s looking for “Fortigate”, not a wildcard “Fortigate*”, and the Fortinet physical appliances report their model as Fortigate-$MODEL.

 

So.. can we somehow change the “default query” for the connector to either search for “Fortigate*” or simply remove the “where DeviceProduct == “Fortigate”” clause completely?

 

Thank you in advance.

 

Microsoft

@arvkris : we are aware of this bug and are working to resolve. As you mentioned, it affects only the connector page.

Regular Visitor

Hi,

 

We have a Fortigate, we can see on TCPDump that logs are received by syslog deamon and forwarded to sentinet agent on port 25226.

On log analytics we see that logs are arriving, with the correct format:

 

0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|3|

 

but the connector of Fortinet isn't showing any received log. 

 

we are facing the same issue as the @arvkris, and we think this is a parsing issue.

 

@Ofer_Shezaf  is this bug that you mention corrected?

Microsoft

@hpinto

 

I think @arvkris's challenge was somewhat different

  • In his case, the second "Fortigate" (bolded in your example) was different and we missed on identifying it as Fortigate.
  • In your case, if I understand correctly, you get the information as CEF rather than parsed in the workspace. 

 

To that end, you see the value "0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|3|" in which field in which table?

 

~ Ofer

Occasional Contributor

Hello,

 

Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ?

I am trying to test it, so far i found the following :

 

1.  Infoblox DNS seems to generate only Threat Logs in CEF. The other logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following:

#<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200)

 

I am not even seeing these logs in the Sentinel Workspace. The logs arrive at the Syslog Agent and get forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere

 

Please advise:

1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them  ?

2. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into ?

3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? the thing is all such vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having an xx vendor connector"

 

Thanks in advance.

 

Microsoft

@majo1 :

 

First to your specific challenge: since the events are Syslog, they require setting up the Syslog connector rather than, or in addition to, the CEF connector. As things are now, the Syslog messages are rejected.

 

To have a single connector VM support both CEF and Syslog:

  1. Install the CEF connector VM using the instructions in the connector page (the new procedure in case yours was setup before October).
  2. Configure the facilities & priorities that you want to get Syslog messages of using Settings -> Workspace Settings -> Advanced Settings -> Data -> Syslog
  3. Make sure that the facility/priority combination used by your CEF source is not configured for Syslog collection

 

That’s it. If #3 is not doable, we will have to revert to config file editing on the VM.

 

As to your question:

  • You will need custom parsers as described in the custom connector blog post.
  • A troubleshooting script is available for CEF. For Syslog I suggest working with support.
  • Having a connector listed in the connector page implies parsing, however most of them are CEF, which means parsed as sent. This does not hold true for the list here.
Regular Visitor

Hi @Ofer_Shezaf 

 

In our case our Fortigate send syslog message in CEF Format, we have installed Azure Onboard Agent and CEF Connector on Linux Machine.

 

On Log Analytics, we can see that the Fortigate logs are arraiving.

 

Syslog Message: 0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|

Facility: local4

Process Name: CEF

Type: syslog

 

When we go to Data Connectors (Fortinet) we din't see anything last receiving log, on CEF Connector either too.

 

THis is the only device that we send syslog with CEF Format.

Microsoft

@hpinto : 

 

I assume you also enabled, or at least modified the Syslog facilities as described in my response to @majo1 above. If the facilities include local4, you will receive the CEF message *also* in the Syslog table. To avoid this you need to make sure that CEF events use a facility which is not configured for Syslog. for Fortinet use:

config log settings
set facility <facility_name>
end

 

This still leaves the question of why you did not get a CEF copy. Did you go through the steps here: https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format#step-3-validate-connecti...?

Regular Visitor

Hi @Ofer_Shezaf 

 

Yes we did that seps on CEF connector, this is why we comment post, because we can't put the CEF working, its frustanting, because we OMS Agent says that collects logs on 25256.

 

The events are observed by the CEF Troubleshooter.

 

Security-config-omsagent.conf contains rsyslog.d routing configuration
rsyslog daemon configuration was found valid.
Trying to restart syslog daemon
Restarting rsyslog daemon - 'sudo service rsyslog restart'
Redirecting to /bin/systemctl restart rsyslog.service
rsyslog daemon restarted.
This will take a few seconds.
Omsagent restarted.
This will take a few seconds.
Incoming port grep: 0.0.0.0:514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*

Daemon incoming port 514 is open
Incoming port grep: 25226
tcp 0 0 127.0.0.1:25226 0.0.0.0:* LISTEN

Omsagent is listening to incoming port 25226
Validating CEF\ASA into rsyslog daemon - port 514
This will take 60 seconds.
sudo tcpdump -A -ni any port 514 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:50.745647 IP (tos 0x0, ttl 64, id 55478, offset 0, flags [DF], proto TCP (6), length 1335)
10.35.72.145.13129 > 10.35.72.147.shell: Flags [P.], cksum 0x7dcb (correct), seq 24964634:24965917, ack 15089686, win 229, options [nop,nop,TS val 1370415842 ecr 324117405], length 1283
E..7..@.@...
#H.
#H.3I...|....@.....}......
Received CEF\ASA message in daemon incoming port.[514]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 514 -vv'
Fetching CEF messages from daemon files.

 

Then we need to add to the DataConnectos -> syslog -> add syslog facility, or otherwise the log don't appear the message on logAnalytics.

 

On Fortinet we can only specified facility as syslog, alert, auth, kernel and Local0, etc... we have specified the facility Syslog facility.

 

This is a parsing issue, because the message is send is syslog, and sentinel read the CEF, and map as Process Name: CEF.

 

But on data connectors we din't see any green connector to CEF or Fortinet.

 

 

 

Regular Visitor

My mistake i din't attach the tcpdump of OMS Agent:

 

udo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:58.743394 IP (tos 0x0, ttl 64, id 61856, offset 0, flags [DF], proto UDP (17), length 904)
127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0188 -> 0x84d8!] UDP, length 876
Received CEF message in agent incoming port.[25226]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 25226 -vv'

 

on logs analytics we can only see message when we put data connector facility as syslog, other wise we din't see nothing as Syslog message os CEF Message.

 

Here is a TCP Dump 

 

127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0138 -> 0xbaba!] UDP, length 796
E..8v.@.@..0.........sb..$.8<190>Dec 26 16:04:23 xxxx-xxx CEF: 0|Fortinet|Fortigate|v6.2.0|28704|utm:app-ctrl app-ctrl-all 

 

on logs analytics

 

ProcessName: CEF

SyslogMessage: 0|Fortinet|Fortigate|v6.2.0|0001

Facility: Syslog

 

Witch facility did MS recommend for this to work?

Microsoft

@hpinto : I think that a support ticket might be a better option to resolve this. One thing I did notice in the data you sent is that it seems that rsyslog forwards on UDP 25226 while the default (new) configuration for the OMS agent is to listen to TCP 25226.

Occasional Contributor

 

 

Microsoft

@majo1 : your comment came out empty.