%3CLINGO-SUB%20id%3D%22lingo-sub-822693%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822693%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Azure%20sentinel%20planning%20on%20Normalising%20ingested%20logs%3F%20Other%20players%20in%20this%20space%20are%20normalising%20ingested%20logs%20(see%20Elastic%20Common%20Schema)%20and%20CEF%20being%20a%20legacy%20example.%20Is%20the%20Azure%20Sentinel%20Team%20planning%20on%20defining%20a%20normalised%20data%20model%20for%20ingested%20Azure%20and%20legacy%20logs%20%3F%20This%20would%20make%20querying%20data%20sets%20a%20lot%20simpler.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20logs%20are%20disparately%20sprayed%20across%20different%20log%20Analytics%20workspaces%20tables%20(this%20might%20be%20the%20wrong%20name)%3A%3C%2FP%3E%3CP%3ESignInLogs%20--%20AAD%20logs%3C%2FP%3E%3CP%3EAzureDiagnostics%20-%20SQL%20PaaS%20logs%3C%2FP%3E%3CP%3ESecurityEvent%20-%20Windows%20server%20logs%20-%20Split%20across%20windows%20and%3C%2FP%3E%3CP%3EUnix%20VM%20logs%20-%26nbsp%3B%3CSPAN%3ESyslog%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOtherwise%20if%20MS%20team%20can%20provide%20some%20guidance%20per%20Azure%20service%20and%20where%20the%20logs%20are%20recorded%20and%20how%20you%20can%20link%20or%20query%20across%20these%20unique%20Log%20Analytics%20tables%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011025%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011025%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20last%20two%20Fortinet%20links%20are%20dead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013906%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20fixed.%20I%20hope%20they%20don't%20change%20their%20links%20again...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024543%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024543%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20a%20single%20Syslog%2FCEF%20server%20be%20used%20to%20stream%20CEF%20and%20syslog%20data%20sources%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030459%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*NOTE*%20We%20already%20have%20a%20support%20case%20with%20the%20vendor%20(Fortinet)%20but%20so%20far%20all%20we've%20got%20is%20%22we%20cannot%20help%20you%20now%2C%20we%20have%20only%20tested%20this%20out%20on%20virtual%20appliances%22.%20*NOTE*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20change%20the%20%22default%20query%22%20of%20a%20connector%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20bunch%20of%20physical%20FortiGate%20appliances%2C%20from%20whcih%20logshipping%20in%20CEF%20format%20to%20Sentinel%20works%20fine%20(We%20can%20see%20the%20entries%20in%20CommonSecurityLog)%20but%20they're%20not%20logged%20as%20%22Fortinet%22%20per%20se%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20example%20log%20post%3A%3C%2FP%3E%3CP%3E%60Oct%2024%2014%3A27%3A07%20DEVICE_HOSTNAME%20CEF%3A%200%7CFortinet%7CFortiGate-300E%7C6.0.5%2Cbuild0268%20(GA)%7C0000000013%7Cforward%20traffic%20close%7C5%7Cstart%3DOct%2024%202019%2014%3A27%3A07%20logver%3D60%20deviceExternalId%3DFG....%60%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20Fortinet%20connector%20says%20%22not%20connected%22.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158766i18DB7548D496C598%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20guess%20is%20because%20Sentinel%20is%20looking%20for%20something%20like%20this%20(as%20one%20of%20the%20example%20queries)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158767i8E5F53B192FB21F6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E...%20where%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%20%E2%80%A6%3CBR%20%2F%3EWe%20assume%20the%20culprit%20is%20that%20it%E2%80%99s%20looking%20for%20%E2%80%9CFortigate%E2%80%9D%2C%20not%20a%20wildcard%20%E2%80%9CFortigate*%E2%80%9D%2C%20and%20the%20Fortinet%20physical%20appliances%20report%20their%20model%20as%20Fortigate-%3CSTRONG%3E%24MODEL%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo..%20can%20we%20somehow%20change%20the%20%E2%80%9Cdefault%20query%E2%80%9D%20for%20the%20connector%20to%20either%20search%20for%20%E2%80%9CFortigate*%E2%80%9D%20or%20simply%20remove%20the%20%E2%80%9Cwhere%20DeviceProduct%20%3D%3D%20%E2%80%9CFortigate%E2%80%9D%E2%80%9D%20clause%20completely%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030468%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%26nbsp%3B%3A%20we%20are%20aware%20of%20this%20bug%20and%20are%20working%20to%20resolve.%20As%20you%20mentioned%2C%20it%20affects%20only%20the%20connector%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078381%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20Fortigate%2C%20we%20can%20see%20on%20TCPDump%20that%20logs%20are%20received%20by%20syslog%20deamon%20and%20forwarded%20to%20sentinet%20agent%20on%20port%2025226.%3C%2FP%3E%3CP%3EOn%20log%20analytics%20we%20see%20that%20logs%20are%20arriving%2C%20with%20the%20correct%20format%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E0%7CFortinet%7CFortigate%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C3%7C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20the%20connector%20of%20Fortinet%20isn't%20showing%20any%20received%20log.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20facing%20the%20same%20issue%20as%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E%2C%20and%20we%20think%20this%20is%20a%20parsing%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20is%20this%20bug%20that%20you%20mention%20corrected%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078551%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078551%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSPAN%3EI%20think%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458905%22%20target%3D%22_blank%22%3E%40arvkris%3C%2FA%3E's%20challenge%20was%20somewhat%20different%3C%2FSPAN%3E%3C%2FP%3E%20%3CUL%3E%20%3CLI%3E%3CSPAN%3EIn%20his%20case%2C%20the%20second%20%22Fortigate%22%20(bolded%20in%20your%20example)%20was%20different%20and%20we%20missed%20on%20identifying%20it%20as%20Fortigate.%3C%2FSPAN%3E%3C%2FLI%3E%20%3CLI%3EIn%20your%20case%2C%20if%20I%20understand%20correctly%2C%20you%20get%20the%20information%20as%20CEF%20rather%20than%20parsed%20in%20the%20workspace.%26nbsp%3B%3C%2FLI%3E%20%3C%2FUL%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3ETo%20that%20end%2C%20you%20see%20the%20value%20%22%3CSPAN%3E0%7CFortinet%7C%3CSTRONG%3EFortigate%3C%2FSTRONG%3E%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C3%7C%22%20in%20which%20field%20in%20which%20table%3F%3C%2FSPAN%3E%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSPAN%3E~%20Ofer%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078600%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078600%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20Infoblox%20DNS%20Query%2FResponse%20logs%20been%20tested%20with%20Azure%20Sentinel%20%3F%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20test%20it%2C%20so%20far%20i%20found%20the%20following%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Infoblox%20DNS%20seems%20to%20generate%20only%20Threat%20Logs%20in%20CEF.%20The%20other%20logging%20categories%2C%20such%20as%20DNS%20Queries%2FResponses%2C%20are%20logged%20in%20some%20non-CEF%20format%20over%20syslog%2C%20like%20the%20following%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E%23%26lt%3B166%26gt%3BDec%2023%2012%3A54%3A05%20infoblox1.localdomain%20named%5B12821%5D%3A%20client%20%400x7fbc3c0cc6e0%20192.168.80.1%2357296%20(server1.fwd1)%3A%20query%3A%20server1.fwd1%20IN%20A%20%2B%20(192.168.80.200)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20not%20even%20seeing%20these%20logs%20in%20the%20Sentinel%20Workspace.%20The%20logs%20arrive%20at%20the%20Syslog%20Agent%20and%20get%20forwarded%20to%20omsagent%20process%20over%20port%2025226%2C%20but%20beyond%20that%20i%20don't%20see%20them%20anywhere%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20advise%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Should%20we%20create%20a%20custom%20parser%20for%20Infoblox%20query%2Fresponse%20logs%20or%20Microsoft%20has%20already%20addressed%20them%26nbsp%3B%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20How%20to%20troubleshoot%20logs%20processing%20and%20ingestion%20after%20the%20logs%20are%20delivered%20from%20the%20syslog%20daemon%20to%20the%20omsagent%20daemon%3F%20Any%20troublehsoot%20files%20or%20tables%20to%20look%20into%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20By%20having%20a%20vendor%20connector%20listed%20in%20Azure%20Sentinel%20connector%20list%2C%20such%20as%20ASA%2C%20Fortigate%2C%20..%2C%20does%20this%20mean%20having%20%22parser%22%20in%20the%20background%20%3F%20the%20thing%20is%20all%20such%20vendor%20connectors%20do%20query%20the%20CommonSecurityLog%20with%20filter%20of%20%22device%20vendor%22%20%2C%20so%20i%20don't%20fully%20understand%20the%20technical%20meaning%20of%20%22having%20an%20xx%20vendor%20connector%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1079844%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1079844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3B%3A%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFirst%20to%20your%20specific%20challenge%3A%20since%20the%20events%20are%20Syslog%2C%20they%20require%20setting%20up%20the%20Syslog%20connector%20rather%20than%2C%20or%20in%20addition%20to%2C%20the%20CEF%20connector.%20As%20things%20are%20now%2C%20the%20Syslog%20messages%20are%20rejected.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3ETo%20have%20a%20single%20connector%20VM%20support%20both%20CEF%20and%20Syslog%3A%3C%2FP%3E%20%3COL%3E%20%3CLI%3EInstall%20the%20CEF%20connector%20VM%20using%20the%20instructions%20in%20the%20connector%20page%20(the%20new%20procedure%20in%20case%20yours%20was%20setup%20before%20October).%3C%2FLI%3E%20%3CLI%3EConfigure%20the%20facilities%20%26amp%3B%20priorities%20that%20you%20want%20to%20get%20Syslog%20messages%20of%20using%20Settings%20-%26gt%3B%20Workspace%20Settings%20-%26gt%3B%20Advanced%20Settings%20-%26gt%3B%20Data%20-%26gt%3B%20Syslog%3C%2FLI%3E%20%3CLI%3EMake%20sure%20that%20the%20facility%2Fpriority%20combination%20used%20by%20your%20CEF%20source%20is%20not%20configured%20for%20Syslog%20collection%3C%2FLI%3E%20%3C%2FOL%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThat%E2%80%99s%20it.%20If%20%233%20is%20not%20doable%2C%20we%20will%20have%20to%20revert%20to%20config%20file%20editing%20on%20the%20VM.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EAs%20to%20your%20question%3A%3C%2FP%3E%20%3CUL%3E%20%3CLI%3EYou%20will%20need%20custom%20parsers%20as%20described%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Creating-Custom-Connectors%2Fba-p%2F864060%22%20target%3D%22_self%22%3Ecustom%20connector%20blog%20post%3C%2FA%3E.%3C%2FLI%3E%20%3CLI%3EA%20troubleshooting%20script%20is%20available%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF.%3C%2FA%3E%26nbsp%3BFor%20Syslog%20I%20suggest%20working%20with%20support.%3C%2FLI%3E%20%3CLI%3EHaving%20a%20connector%20listed%20in%20the%20connector%20page%20implies%20parsing%2C%20however%20most%20of%20them%20are%20CEF%2C%20which%20means%20parsed%20as%20sent.%20This%20does%20not%20hold%20true%20for%20the%20list%20here.%3C%2FLI%3E%20%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080591%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080591%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%20our%20Fortigate%20send%20syslog%20message%20in%20CEF%20Format%2C%20we%20have%20installed%20Azure%20Onboard%20Agent%20and%20CEF%20Connector%20on%20Linux%20Machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Log%20Analytics%2C%20we%20can%20see%20that%20the%20Fortigate%20logs%20are%20arraiving.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESyslog%20Message%3A%26nbsp%3B0%7CFortinet%7CFortigate%7Cv6.2.0%7C00013%7Ctraffic%3Aforward%20deny%7C%3C%2FP%3E%3CP%3EFacility%3A%20local4%3C%2FP%3E%3CP%3EProcess%20Name%3A%20CEF%3C%2FP%3E%3CP%3EType%3A%20syslog%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20go%20to%20Data%20Connectors%20(Fortinet)%20we%20din't%20see%20anything%20last%20receiving%20log%2C%20on%20CEF%20Connector%20either%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETHis%20is%20the%20only%20device%20that%20we%20send%20syslog%20with%20CEF%20Format.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080638%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%26nbsp%3B%3A%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EI%20assume%20you%20also%20enabled%2C%20or%20at%20least%20modified%20the%20Syslog%20facilities%20as%20described%20in%20my%20response%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3Babove.%20If%20the%20facilities%20include%20local4%2C%20you%20will%20receive%20the%20CEF%20message%20*also*%20in%20the%20Syslog%20table.%20To%20avoid%20this%20you%20need%20to%20make%20sure%20that%20CEF%20events%20use%20a%20facility%20which%20is%20not%20configured%20for%20Syslog.%20for%20Fortinet%20use%3A%3C%2FP%3E%20%3CPRE%3E%3CSTRONG%3Econfig%20log%20settings%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%20%20%20%20set%20facility%20%3CFACILITY_NAME%3E%3CBR%20%2F%3Eend%3C%2FFACILITY_NAME%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThis%20still%20leaves%20the%20question%20of%20why%20you%20did%20not%20get%20a%20CEF%20copy.%20Did%20you%20go%20through%20the%20steps%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%23step-3-validate-connectivity%3C%2FA%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030375%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454716%22%20target%3D%22_blank%22%3E%40Chi_Duong%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20but%20it%20would%20require%20direct%20edit%20to%20the%20agent%20and%20syslog%20daemon%20configuration%20files.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3E%3CSTRONG%3EUpdate%20(Dec%2026th%202019)%3A%3C%2FSTRONG%3E%20You%20no%20longer%20need%20to%20directly%20edit%20the%20configuration%20files%3A%3C%2FP%3E%20%3COL%3E%20%3CLI%3EInstall%20the%20CEF%20connector%20VM%20using%20the%20instructions%20in%20the%20connector%20page.%3C%2FLI%3E%20%3CLI%3EConfigure%20the%20facilities%20%26amp%3B%20priorities%20that%20you%20want%20to%20get%20Syslog%20messages%20of%20using%20Settings%20-%26gt%3B%20Workspace%20Settings%20-%26gt%3B%20Advanced%20Settings%20-%26gt%3B%20Data%20-%26gt%3B%20Syslog%3C%2FLI%3E%20%3CLI%3EMake%20sure%20that%20the%20facility%2Fpriority%20combination%20used%20by%20your%20CEF%20source%20is%20not%20configured%20for%20Syslog%20collection%3C%2FLI%3E%20%3C%2FOL%3E%20%3CP%3EThat%E2%80%99s%20it.%20If%20%233%20is%20not%20doable%2C%20we%20will%20have%20to%20revert%20to%20config%20file%20editing%20on%20the%20VM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081076%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081076%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20we%20did%20that%20seps%20on%20CEF%20connector%2C%20this%20is%20why%20we%20comment%20post%2C%20because%20we%20can't%20put%20the%20CEF%20working%2C%20its%20frustanting%2C%20because%20we%20OMS%20Agent%20says%20that%20collects%20logs%20on%2025256.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20events%20are%20observed%20by%20the%20CEF%20Troubleshooter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurity-config-omsagent.conf%20contains%20rsyslog.d%20routing%20configuration%3CBR%20%2F%3Ersyslog%20daemon%20configuration%20was%20found%20valid.%3CBR%20%2F%3ETrying%20to%20restart%20syslog%20daemon%3CBR%20%2F%3ERestarting%20rsyslog%20daemon%20-%20'sudo%20service%20rsyslog%20restart'%3CBR%20%2F%3ERedirecting%20to%20%2Fbin%2Fsystemctl%20restart%20rsyslog.service%3CBR%20%2F%3Ersyslog%20daemon%20restarted.%3CBR%20%2F%3EThis%20will%20take%20a%20few%20seconds.%3CBR%20%2F%3EOmsagent%20restarted.%3CBR%20%2F%3EThis%20will%20take%20a%20few%20seconds.%3CBR%20%2F%3EIncoming%20port%20grep%3A%200.0.0.0%3A514%3CBR%20%2F%3Etcp%200%200%200.0.0.0%3A514%200.0.0.0%3A*%20LISTEN%3CBR%20%2F%3Eudp%200%200%200.0.0.0%3A514%200.0.0.0%3A*%3C%2FP%3E%3CP%3EDaemon%20incoming%20port%20514%20is%20open%3CBR%20%2F%3EIncoming%20port%20grep%3A%2025226%3CBR%20%2F%3Etcp%200%200%20127.0.0.1%3A25226%200.0.0.0%3A*%20LISTEN%3C%2FP%3E%3CP%3EOmsagent%20is%20listening%20to%20incoming%20port%2025226%3CBR%20%2F%3EValidating%20CEF%5CASA%20into%20rsyslog%20daemon%20-%20port%20514%3CBR%20%2F%3EThis%20will%20take%2060%20seconds.%3CBR%20%2F%3Esudo%20tcpdump%20-A%20-ni%20any%20port%20514%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%20262144%20bytes%3CBR%20%2F%3E15%3A30%3A50.745647%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2055478%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%201335)%3CBR%20%2F%3E10.35.72.145.13129%20%26gt%3B%2010.35.72.147.shell%3A%20Flags%20%5BP.%5D%2C%20cksum%200x7dcb%20(correct)%2C%20seq%2024964634%3A24965917%2C%20ack%2015089686%2C%20win%20229%2C%20options%20%5Bnop%2Cnop%2CTS%20val%201370415842%20ecr%20324117405%5D%2C%20length%201283%3CBR%20%2F%3EE..7..%40.%40...%3CBR%20%2F%3E%23H.%3CBR%20%2F%3E%23H.3I...%7C....%40.....%7D......%3CBR%20%2F%3EReceived%20CEF%5CASA%20message%20in%20daemon%20incoming%20port.%5B514%5D%3CBR%20%2F%3ENotice%3A%20To%20tcp%20dump%20manually%20execute%20the%20following%20command%20-%20'tcpdump%20-A%20-ni%20any%20port%20514%20-vv'%3CBR%20%2F%3EFetching%20CEF%20messages%20from%20daemon%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20we%20need%20to%20add%20to%20the%20DataConnectos%20-%26gt%3B%20syslog%20-%26gt%3B%20add%20syslog%20facility%2C%20or%20otherwise%20the%20log%20don't%20appear%20the%20message%20on%20logAnalytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Fortinet%20we%20can%20only%20specified%20facility%20as%20syslog%2C%20alert%2C%20auth%2C%20kernel%20and%20Local0%2C%20etc...%20we%20have%20specified%20the%20facility%20Syslog%20facility.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20parsing%20issue%2C%20because%20the%20message%20is%20send%20is%20syslog%2C%20and%20sentinel%20read%20the%20CEF%2C%20and%20map%20as%20Process%20Name%3A%20CEF.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20on%20data%20connectors%20we%20din't%20see%20any%20green%20connector%20to%20CEF%20or%20Fortinet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081082%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081082%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20mistake%20i%20din't%20attach%20the%20tcpdump%20of%20OMS%20Agent%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eudo%20tcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%20262144%20bytes%3CBR%20%2F%3E15%3A30%3A58.743394%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2061856%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20UDP%20(17)%2C%20length%20904)%3CBR%20%2F%3E127.0.0.1.35443%20%26gt%3B%20127.0.0.1.25226%3A%20%5Bbad%20udp%20cksum%200x0188%20-%26gt%3B%200x84d8!%5D%20UDP%2C%20length%20876%3CBR%20%2F%3EReceived%20CEF%20message%20in%20agent%20incoming%20port.%5B25226%5D%3CBR%20%2F%3ENotice%3A%20To%20tcp%20dump%20manually%20execute%20the%20following%20command%20-%20'tcpdump%20-A%20-ni%20any%20port%2025226%20-vv'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20logs%20analytics%20we%20can%20only%20see%20message%20when%20we%20put%20data%20connector%20facility%20as%20syslog%2C%20other%20wise%20we%20din't%20see%20nothing%20as%20Syslog%20message%20os%20CEF%20Message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20TCP%20Dump%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E127.0.0.1.35443%20%26gt%3B%20127.0.0.1.25226%3A%20%5Bbad%20udp%20cksum%200x0138%20-%26gt%3B%200xbaba!%5D%20UDP%2C%20length%20796%3CBR%20%2F%3EE..8v.%40.%40..0.........sb..%24.8%26lt%3B190%26gt%3BDec%2026%2016%3A04%3A23%20xxxx-xxx%20CEF%3A%200%7CFortinet%7CFortigate%7Cv6.2.0%7C28704%7Cutm%3Aapp-ctrl%20app-ctrl-all%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20logs%20analytics%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProcessName%3A%20CEF%3C%2FP%3E%3CP%3ESyslogMessage%3A%200%7CFortinet%7CFortigate%7Cv6.2.0%7C0001%3C%2FP%3E%3CP%3EFacility%3A%20Syslog%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWitch%20facility%20did%20MS%20recommend%20for%20this%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1084366%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1084366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F496851%22%20target%3D%22_blank%22%3E%40hpinto%3C%2FA%3E%26nbsp%3B%3A%20I%20think%20that%20a%20support%20ticket%20might%20be%20a%20better%20option%20to%20resolve%20this.%20One%20thing%20I%20did%20notice%20in%20the%20data%20you%20sent%20is%20that%20it%20seems%20that%20rsyslog%20forwards%20on%20UDP%2025226%20while%20the%20default%20(new)%20configuration%20for%20the%20OMS%20agent%20is%20to%20listen%20to%20TCP%2025226.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104560%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104560%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106764%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106764%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3B%3A%20your%20comment%20came%20out%20empty.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803891%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Syslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803891%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20network%20and%20security%20systems%20support%20either%20Syslog%20or%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.microfocus.com%2Ft5%2FArcSight-Connectors%2FArcSight-Common-Event-Format-CEF-Implementation-Standard%2Fta-p%2F1645557%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%3C%2FA%3E%20(which%20stands%20for%20Common%20Event%20Format)%20over%20Syslog%20as%20means%20for%20sending%20data%20to%20a%20SIEM.%20This%20makes%20Syslog%20or%20CEF%20the%20most%20straight%20forward%20ways%20to%20stream%20security%20and%20networking%20events%20to%20Azure%20Sentinel.%20Want%20to%20learn%20more%20about%20best%20practices%20for%20CEF%20collection%3F%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-Practices-for-Common-Event-Format-CEF-collection-in-Azure%2Fba-p%2F969990%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20advantage%20of%20CEF%20over%20Syslog%20is%20that%20it%20ensures%20the%20data%20is%20normalized%20making%20it%20more%20immediately%20useful%20for%20analysis%20using%20Sentinel.%20However%2C%20unlike%20many%20other%20SIEM%20products%2C%20Sentinel%20allows%20ingesting%20unparsed%20Syslog%20events%20and%20performing%20analytics%20on%20them%20using%20query%20time%20parsing.%26nbsp%3B%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EThe%20number%20of%20systems%20supporting%20Syslog%20or%20CEF%20is%20in%20the%20hundreds%2C%20making%20the%20table%20below%20by%20no%20means%20comprehensive.%20We%20will%20update%20this%20list%20continuously.%20The%20table%20provides%20links%20to%20the%20source%20device's%20vendor%20documentation%20for%20configuring%20the%20device%20to%20send%20events%20in%20Syslog%20or%20CEF.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CPRE%3ETip%3A%20Want%20to%20ingest%20test%20CEF%20data%3F%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Sample-CEF-data-into-Azure-Sentinel%2Fba-p%2F1064158%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E%20is%20how%20to%20do%20that.%3C%2FPRE%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CP%3EFor%20completeness%2C%20we%20have%20included%20also%20sources%20that%20log%20to%20Sentinel%20directly%20using%20the%20native%20Sentinel%20API%20as%20well%20as%20those%20that%20can%20log%20to%20Windows%20Event%20Log%2C%20and%20be%20read%20by%20Sentinel's%20Windows%20collection%20methods.%3C%2FP%3E%20%3CP%3E%26nbsp%3B%3C%2FP%3E%20%3CTABLE%20style%3D%22height%3A%202760px%3B%22%20title%3D%22Table%22%20width%3D%22755%22%3E%20%3CTBODY%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVendor%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EProduct%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EConnector%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CSTRONG%3EInformation%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EAkamai%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.akamai.com%2Ftools%2Fintegrations%2Fsiem%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EApache%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3Ehttpd%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.loggly.com%2Fultimate-guide%2Fcentralizing-apache-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20rsyslog%20or%20logger%20as%20a%20file%20forwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAruba%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EClearPass%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.arubanetworks.com%2Ftechdocs%2FClearPass%2F6.8%2FPolicyManager%2Findex.htm%23CPPM_UserGuide%2FAdmin%2FsyslogExportFilters_add_syslog_filter_general.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EAWS%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECloudWatch%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECustom%26nbsp%3B%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EUsing%20Logstash.%20See%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FHunting-for-Capital-One-Breach-TTPs-in-AWS-logs-using-Azure%2Fba-p%2F1019767%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDefense%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2Freference%2Fcb-defense%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECarbon%20Black%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EResponse%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.carbonblack.com%2F2016%2F06%2Fcb-event-forwarder-3.2.0-released%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECheckpoint%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-checkpoint%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built%20in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20193px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20156.667px%3B%22%3EASA%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%2088.6667px%3B%22%3ECisco%20(CEF)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20193px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESentinel%20built-in%20CEF%20connector%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Cisco%20ASA%20support%20uses%20Sentinel's%20CEF%20pipeline.%20However%2C%20Cisco's%20logging%20is%20not%20in%20CEF%20format.%3C%2FP%3E%20%3CP%3E-%20Make%20sure%20you%20disable%20logging%20timestamp%20using%20%22no%20logging%20timestamp%22.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa82%2Fcommand%2Freference%2Fcmd_ref%2Fl2.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Ehere%3C%2FA%3E%26nbsp%3Bfor%20more%20details.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Security%20Gateway%20(CWS)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EWeb%20Security%20Appliances%20(WSA)%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3EUse%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fwsa%2FAdvanced_Reporting%2FWSA_Advanced_Reporting_6%2FAdvanced_Web_Security_Reporting_6_3.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ECisco%20Advanced%20Web%20Security%20Reporting%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EMeraki%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Server_Overview_and_Configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.meraki.com%2FzGeneral_Administration%2FMonitoring_and_Reporting%2FSyslog_Event_Types_and_Log_Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Types%20and%20Log%20Samples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EFirepower%20Threat%20Defense%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Ffirepower%2F601%2Fconfiguration%2Fguide%2Ffpmc-config-guide-v601%2FConfiguring_External_Alerting.html%3FbookSearch%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EFireSight%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity%2Ffiresight-management-center%2F118464-configure-firesight-00.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EIronPort%20Web%20Security%20Appliance%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.splunk.com%2FSet_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3ENexus%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fswitches%2Fdatacenter%2Fnexus5000%2Fsw%2Fconfiguration%2Fguide%2Fcli_rel_4_1%2FCisco_Nexus_5000_Series_Switch_CLI_Software_Configuration_Guide_chapter26.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECisco%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EUmbrella%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3ECustom%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fcurious-case-saas-3rd-party-azure-sentinel-nathan-swift%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20blog%20post%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECirtix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper-docs.citrix.com%2Fprojects%2Fnetscaler-syslog-message-reference%2Fen%2F12.0%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ECitrix%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ENetScaler%20App%20FW%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX136146%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECrowdStrike%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EFalcon%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3EUse%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.crowdstrike.com%2Fresources%2Fdata-sheets%2Ffalcon-connector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESIEM%20connector%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einstalled%20on%20premises%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ECyberArk%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%3CSPAN%3EPrivileged%20Access%20Security%3C%2FSPAN%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FOutbound-Sending-%2520PTA-syslog-Records-to-SIEM.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.cyberark.com%2FProduct-Doc%2FOnlineHelp%2FPAS%2FLatest%2Fen%2FContent%2FPTA%2FCEF-Based-Format-Definition.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMessage%20format%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20a%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCannot-get-CommonSecurityLog-Events-to-show-in-Sentinel-quot%2Fm-p%2F508132%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Echange%20is%20required%20in%20the%20MMA%20configuration%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EDarktrace%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EImmune%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fwww.darktrace.com%2Fen%2Fpress%2F2016%2F73%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eannouncement%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWAF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-f5%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EF5%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EBigIP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20138px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESyslog%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.f5.com%2Fcsp%2Farticle%2FK13080%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%2C%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechdocs.f5.com%2Fkb%2Fen-us%2Fproducts%2Fbig-ip_ltm%2Fmanuals%2Fproduct%2Ftmos-implementations-11-5-1%2F23.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETLS%20instructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EDirect%3A%20%3CA%20href%3D%22https%3A%2F%2Fdevcentral.f5.com%2Fs%2Farticles%2FIntegrating-the-F5-BIGIP-with-Azure-Sentinel%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fclouddocs.f5.com%2Fproducts%2Fextensions%2Ff5-telemetry-streaming%2Flatest%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosofteur.sharepoint.com%2F%3Av%3A%2Ft%2FAzureSentinelProductInfo%2FEYoEiJ0yaXFCqkySHspyz6YByAYIkehOSSvbBQn6UoxiJQ%3Fe%3De5pkhR%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20video%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFireEye%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3ENX%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWe%20could%20not%20find%20the%20vendors%20documentation.%20See%203rd%20party%20instructions%20%3CA%20href%3D%22https%3A%2F%2Finsightidr.help.rapid7.com%2Fdocs%2Ffireeye-nx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EForcepoint%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EWeb%20Security%20(WebSense)%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv78%2Ftriton_web_help%2Fsettings_siem_explain.aspx%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.websense.com%2Fcontent%2Fsupport%2Flibrary%2Fweb%2Fv76%2Fsiem%2Fsiem.pdf%23page%3D22%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDetailed%20reference%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fortinet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F998820%2Ffortios-to-cef-log-field-mapping-guidelines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20message%20reference%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.fortinet.com%2Fdocument%2Ffortigate%2F6.2.0%2Ffortios-log-message-reference%2F127777%2Fexamples-of-cef-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECEF%20mapping%20and%20examples%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EFortinet%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESIEM%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.fortinet.com%2Ffa%2Ffaz50hlp%2F56%2F5-6-1%2FFMG-FAZ%2F2400_System_Settings%2F1600_Log%2520Forwarding%2F0400_Configuring.htm%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EHP%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPrinters%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc04531741%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EIBM%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EzSecure%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSS2RWS_2.3.0%2Fcom.ibm.zsecure.doc_2.3.0%2Fabout_this_release%2Fabout_rel_whats_new.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%20for%20zSecure%20V2.3.0%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20it%20supports%20alerts%20only.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EImperva%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ESecureSphere%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.imperva.com%2Fdocs%2FSB_Imperva_SecureSphere_CEF_guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%3CSTRONG%3EInfoblox%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3EOn-premises%20appliance%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2FNAG8%2FUsing%2Ba%2BSyslog%2BServer%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EKaspersky%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3ESecurity%20Center%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.kaspersky.com%2FKSC%2FEventExport%2Fen-US%2F140022.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EePO%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.mcafee.com%2Fbundle%2Fepolicy-orchestrator-5.9.1-product-guide%2Fpage%2FGUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB87927%26amp%3Bactp%3Dnull%26amp%3Bviewlocale%3Den_US%26amp%3BshowDraft%3Dfalse%26amp%3Bplatinum_status%3Dfalse%26amp%3Blocale%3Den_US%26amp%3Bbk%3Dn%26amp%3B_ga%3D2.110407365.1184558696.1552347886-1519183354.1550404246%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB%20Article%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%3A%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration)%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMcAfee%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWeb%20Gateway%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.mcafee.com%2Ft5%2FDocuments%2FWeb-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other%2Fta-p%2F554145%23toc-hId-440677315%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CSTRONG%3EMicrosoft%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3ESQL%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3EWindows%20Event%20Log%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2056px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CSTRONG%3ENetApp%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3EONTAP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.netapp.com%2Fontap-9%2Findex.jsp%3Ftopic%3D%252Fcom.netapp.doc.dot-cm-sag%252FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20those%20are%20management%20activity%20audit%20logs%20and%20not%20file%20usage%20activity%20logs.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EOracle%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EDB%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.oracle.com%2Fcd%2FB28359_01%2Fnetwork.111%2Fb28531%2Fauditing.htm%23DBSEG66112%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EPanOS%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20Built-in%20CEF%20connector%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3EPanorama%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fpanorama%2F9-0%2Fpanorama-admin%2Fmanage-log-collection%2Fconfigure-log-forwarding-from-panorama-to-external-destinations.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20166px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EPalo%20Alto%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3ETraps%20through%20Cortex%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20166px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Ftraps%2Ftms%2Ftraps-management-service-admin%2Fview-and-manage-logs%2Fforward-traps-logs-to-a-syslog-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENotes%3A%3C%2FP%3E%20%3CP%3E-%20Require%20rsyslog%20configuration%20to%20support%20RFC5424%3C%2FP%3E%20%3CP%3E-%20TLS%20only%20(requires%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv8-stable%2Ftutorials%2Ftls_cert_summary.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ersyslog%20TLS%20configuration%3C%2FA%3E)%3C%2FP%3E%20%3CP%3E-%20The%20certificate%20has%20to%20be%20signed%20by%20a%20public%20CA%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2084px%3B%22%3E%3CSTRONG%3EPostgress%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2084px%3B%22%3EDB%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2084px%3B%22%3ESyslog%2C%20Windows%20Event%20log%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2084px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.postgresql.org%2Fdocs%2F9.1%2Fruntime-config-logging.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3ESAP%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3EHaha%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fknowledge%2Fpreview%2Fen%2F2624117%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%20(requires%20a%20SAP%20account)%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%20111px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESonicWall%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%20111px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fhelp.sonicwall.com%2Fhelp%2Fsw%2Feng%2F7020%2F26%2F2%2F3%2Fcontent%2FLog_Syslog.120.2.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3EMake%20sure%20you%3A%3CBR%20%2F%3E-%20Select%20local%20use%204%20as%20the%20facility.%3C%2FP%3E%20%3CP%3E-%20Select%20ArcSight%20as%20the%20Syslog%20format.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESquid%20Proxy%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3EConfigure%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.squid-cache.org%2FDoc%2Fconfig%2Faccess_log%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Eaccess%20logs%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20either%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwiki.squid-cache.org%2FFeatures%2FLogModules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3ETCP%20of%20UDP%20modules%3C%2FA%3E.%20Sentinel's%20built-in%20queries%20use%20the%20default%20log%20format.%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymatec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3EDLP%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20vertical-align%3A%20top%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.tech218905.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions.%3C%2FA%3E%20Note%20that%20only%20UDP%20is%20supported%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fconnect%2Fforums%2Fsample-syslog-format-symantec-dlp%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E.%20Uses%20response%20automation.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2084px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EWSG%20(Bluecoat)%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ESyslog%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2084px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.symantec.com%2Fdocs%2FTECH242216%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3ENote%20that%20only%26nbsp%3BTCP%20is%20supported%20which%20requires%20rsyslog%20configuration%20to%20use%20TCP.%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3EEndpoint%20Protection%20Manager%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ESyslog%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO81169.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ESymantec%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3ECloud%20Workload%20Protection%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3EAPI%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.howto130011.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fesupport.trendmicro.com%2Fmedia%2F13970354%2FTMCM_SIEM_Integration.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20Control%20Manager%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fdocs.trendmicro.com%2Fen-us%2Fenterprise%2Fcontrol-manager-70%2Ftools-and-additional%2Fusing-logforwarder%2Fconfiguring-logforwa.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20LogForwarder%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%22%3E%3CSTRONG%3ETrend%20Micro%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%22%3EDeep%20Security%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.deepsecurity.trendmicro.com%2F10%2F0%2Fsiem-syslog-forwarding-secure.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.deepsecurity.trendmicro.com%2F10%2F0%2Fsiem-syslog-forwarding.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%20for%20Azure%20VM%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20148.667px%3B%22%3E%20%3CP%3E%3CSTRONG%3EVaronis%3C%2FSTRONG%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20156.667px%3B%22%3E%20%3CP%3EDatAlert%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%2088.6667px%3B%22%3E%20%3CP%3ECEF%3C%2FP%3E%20%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2029px%3B%20width%3A%20360px%3B%22%3E%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Finfo.varonis.com%2Fhubfs%2Fdocs%2Fsplunk-app%2FVaronis-App-for-Splunk-User-Guide.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FP%3E%20%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%20%3CTD%20style%3D%22width%3A%20148.667px%3B%20height%3A%2029px%3B%22%3E%3CSTRONG%3EWatchgaurd%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20156.667px%3B%20height%3A%2029px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%2088.6667px%3B%20height%3A%2029px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20style%3D%22width%3A%20360px%3B%20height%3A%2029px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.watchguard.com%2Fhelp%2Fdocs%2Fhelp-center%2Fen-US%2FContent%2Fen-US%2FWi-Fi-Cloud%2Fmanage_wirelessmanager%2Fconfiguration%2Fsystem%2Farcsight_integration.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInstructions%3C%2FA%3E%3C%2FTD%3E%20%3C%2FTR%3E%20%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20148.667px%3B%22%3E%3CSTRONG%3EzScaler%3C%2FSTRONG%3E%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20156.667px%3B%22%3E%26nbsp%3B%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%2088.6667px%3B%22%3ECEF%3C%2FTD%3E%20%3CTD%20valign%3D%22top%22%20style%3D%22height%3A%2056px%3B%20width%3A%20360px%3B%22%3ESee%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fdocumentation-knowledgebase%2Fanalytics%2Fnss%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EzScaler%20NSS%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zscaler.com%2Fresources%2Fsolution-briefs%2Fpartner-hp-arcsight.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3EArcSight%20integration%20guide%3C%2FA%3E.%3C%2FTD%3E%20%3C%2FTR%3E%20%3C%2FTBODY%3E%20%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-803891%22%20slang%3D%22en-US%22%3E%3CP%3EWant%20to%20connect%20a%20source%20system%20to%20Sentinel%20to%20send%20events%3F%20The%20chances%20are%20that%20it%20supported%20streaming%20events%20using%20Syslog%20or%20CEF%2C%20or%20connects%20directly.%20This%20article%20provides%20pointers%20for%20configuring%20different%20security%20and%20networking%20systems%20to%20send%20events%20using%20Syslog%2C%20CEF%20or%20directly.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-803891%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This is part of a series of blogs on connectors. You might find what you are looking for also here:

 

Note:
- Your source is missing here? drop me a note and I will add it.
- Want to build a custom connector? Read this
- Want to build a connector to be included in Azure Sentinel? Check this 

 

Source types

 

Syslog and CEF

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straight forward ways to stream security and networking events to Azure Sentinel.

 

  • Want to learn more about best practices for CEF collection? see here.
  • Want to scale CEF or Syslog collection?  Use a VM scale set as described here

 

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.

 

Tip: Want to ingest test CEF data? here is how to do that.

 

Direct

Most Microsoft cloud sources and many other cloud and on-prem systems can send to Azure Sentinel natively. For Microsoft Azure sources this often uses their diagnostics feature, on which you can read more here.

 

Agent

The Log Analytics agent can collect different types of events from servers and end points, which are listed here. To learn more about the agent, read Azure Sentinel Agent: Collecting telemetry from on-prem and IaaS server.

 

Threat Intelligence (TI)

You can use one of the threat intelligence connectors:

  • Platform, which uses the Graph Security API
  • TAXII, which uses the TAXII 2.0 protocol

to ingest threat intelligence indicators, which are used by Azure Sentinel's built-in TI analytics rules, as well as to build your own rules. You can read more about the Threat Intelligence connectors in module #6 of the Azure Sentinel Ninja Training 

 

Custom connectors: Logic Apps, Logstash, Azure Functions and others

In addition to CEF and Syslog, there are many solutions that are based on Sentinel's data collector API and create custom log tables in the workspace. Those belong to 3 groups:

  • Sources that support Logstash, which in turn has an output plug-in that can send the events to Azure Sentinel.
  • Sources that have native support for the API.
  • Sources for which there is a community or Microsoft field created solution which uses the API, usually using Logic Apps or an Azure function.

You can read more about custom connectors here.

 

The Grand List

 

Vendor

Product

Connector
Type

Conneting and using

Akamai   CEF Instructions

Alcide

kAudit

API

Sentinel built-in connector

AlgoSec

ASMS

CEF

Instructions and examples

Anomali

Limo

TI (TAXII)

Sentinel built-in connector

Anomali

ThreatStream

TI (Platform)

Sentinel built-in connector

Apache

httpd

Syslog

Using rsyslog or logger as a file forwarder

Aruba

ClearPass

CEF

Instructions

AT&T Cyber

AlienVault OTX

TI (Platform)

Using Logic Apps, See instructions

AWS

CloudTrail

Built-in

Sentinel built-in connector

AWS

CloudWatch

Custom 

Using Logstash. See here.

Barracuda

WAF

API

Sentinel built-in connector

Barracuda

CloudGen Firewall

API

Sentinel built-in connector

Carbon Black

Cloud Endpoint Standard (Cb Defense)

Function

Syslog

Sentinel built-in connector 

Instructions

Carbon Black

(Cb Response)

Syslog

Instructions

Checkpoint   CEF

Sentinel Built in connector

Cisco ASA Cisco (CEF)

Sentinel built-in connector

Notes:

- Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format.

- Make sure you disable logging timestamp using "no logging timestamp". See here for more details.

Cisco Cloud Security Gateway (CWS) CEF Use the Cisco Advanced Web Security Reporting.
Cisco Web Security Appliances (WSA) CEF Use the Cisco Advanced Web Security Reporting.

Cisco

Meraki

Syslog

Instructions

Event Types and Log Samples

Cisco eStreamer CEF

Using enCore

Cisco Firepower Threat Defense

CEF

Syslog

Using eStreamer enCore

Instructions, Event reference

Cisco FireSight

CEF

Using eStreamer enCore

Cisco IronPort Web Security Appliance Syslog

Instructions

Cisco Nexus Syslog

Instructions

Cisco Umbrella Custom

See this blog post

Citrix Analytics Direct

Sentinel built-in connector

Citrix NetScaler  Syslog

Instructions

Message format

Citrix NetScaler App FW CEF Instructions

Cloudflare

 

 

Use Cloudflare Logpush to send to storage and a custom connector to read events from storage (for example reading AWS S3 buckets).

Cribl

LogStream

Direct

Instructions

CrowdStrike

Falcon

CEF

Use a SIEM connector installed on premises

CyberArk

Privileged Access Security

CEF

Instructions

Message format

Darktrace

Immune

CEF

See announcement. Contact vendor for instructions.

Digital Guardian

 

CEF

3rd party instructions

Extrahop

Reveal

CEF

Sentinel built-in connector

F5

ASM (WAF)

CEF

Sentinel built-in connector

F5

BigIP (System, LTM, AFM, ASM, APM, AVR)

Direct

 

Sentinel built-in connector 

Fastly

WAF Custom

See this blog post (Logic Apps or Azure Function)

Forcepoint

Web Security (WebSense) CEF

Instructions

Detailed reference

Forcepoint

CASB CEF

Sentinel built-in connector

Forcepoint

DLP Direct

Sentinel built-in connector

Forcepoint

NGFW CEF

Sentinel built-in connector

Forescout

CounterAct CEF

Instructions

Fortinet

  CEF

Sentinel built-in connector

Log message reference

CEF mapping and examples

Fortinet

SIEM

CEF

Instructions

GitHub

 

Custom

See connector, rules and hunting queries 

here

Google

GCP

Logstash

Instructions

HP

Printers

Syslog

Instructions

IBM

QRadar

Syslog

Forward raw events or correlation events in raw, parsed or JSON format. See instructions.

IBM

X-Force

TI (TAXII)

Instructions

IBM

zSecure

CEF

See What's new for zSecure V2.3.0

Note that it supports alerts only.

Illusive 

Attack Management System

Syslog

Sentinel built-in connector

Imperva

SecureSphere

CEF

Instructions

Infoblox NIOS

Syslog

Sentinel built-in connector

Juniper ATP

CEF

Instructions

Junpier JunOS based devices

Syslog

Instructions

Kaspersky Security Center  CEF Instructions

McAfee

ePO

Syslog

Instructions (Note: TLS only (requires rsyslog TLS configuration)

McAfee

MVISION EDR

Syslog

Instructions

McAfee

Web Gateway

CEF

Instructions

Microfocus

Fortify AppDefender

CEF

Instructions (require authentication; contact vendor for further details).

Microsoft

Azure Active Directory Domain Services

 

Microsoft

Azure

Direct

Microsoft

Application Insights

Direct

Microsoft

App Services & Web Application monitoring 

Direct

Instructions and reference architecture 

Microsoft

Azure B2B

Direct

Included as part of AAD events

Microsoft

Azure B2C

Direct

collect B2C logs from your B2C tenant to your primary tenant AAD logs as described here

Microsoft

Azure Cosmos DB

Direct

Instructions

Microsoft

Azure Data Lake Gen 1

Direct

Microsoft

Azure Databricks

Direct

Instructions

Microsoft

Azure DDOS

Built-in (diagnostics)

Microsoft

Azure DevOps

Direct

Instructions

Microsoft

Azure Firewall

Built-in (diagnostics)

Microsft

Azure Front Door

Direct

Instructions
Microsoft Azure Key Vault (AKV)

Direct

Microsoft Azure Kubernetes Service (AKS)

Direct

Microsoft Azure Log Analytics

Direct

Collect query auditing and other metrics: Instructions
Microsoft Azure Logic Apps

Direct

Instructions
Microsoft Azure Network Security Groups (NSG)

Direct

Microsoft Azure Security Center

Direct

Microsoft Azure SQL

Direct

Instructions
Microsoft Auzre Site Recovery

Direct

instructions
Microsoft Azure Storage

Direct

Instructions
Microsoft Azure WAF

Direct

Microsoft

BitLocker / MBAM

Agent

Using Windows Event collection. Blog post

Microsoft

Cloud App Security (Alerts, Discovery logs)

Built-in

Sentinel built-in connector

Microsoft

Cloud App Security (Activity Log)

CEF

Instructions

Microsoft

Desktop Analytics

Direct

Connect

Microsoft

DNS

Agent

Sentinel built-in connector

Microsoft

IIS

Agent

Instuctions

Microsoft

Intune

Direct

Connect

Use cases

Microsoft

Office 365 (Exchange, SharePoint, OneDrive, DLP Alerts)

Built-in

 

Sentinel built-in connector

For details about DLP alerts read here

Microsoft 

Office 365 (PowerBI, Yammer, Sway, Forms and others)

Custom

Use Either a Logic App or an Azure function custom connector

Microsoft

Teams (Call Logs)

Custom

Using Logic Apps

Microsoft

Teams (Management Activity)

Built-in

Microsoft

SCCM

Agent

Instructions

Microsoft

SQL Server

Agent

Insturctions, parser, rules and hunting queries

Microsoft

Sysmon

Agent

Using Windows Event collection. Blog post

Microsoft

Windows (Security Events)

Agent

Microsoft

Windows (Other Events, Sysmon)

Agent

Instuctions

Microsoft

Windows network connections

Agent

VM Insights

Wire Data

Microsoft

Windows Firewall

Agent

Sentinel built-in connector

Microsoft

Windows Vitual Desktop

Direct

Mimecast

 

Agent

Announcement. For technical instructions contact the vendor.

Minerva Labs

 

CEF

Please ask the vendor for instructions.

MISP

 

TI (Platform)

Sentinel built-in connector

NetApp

ONTAP

Syslog

Instructions

Note that those are management activity audit logs and not file usage activity logs.

Netflow

 

Logstash

Use the Netflow codec plug-in

Nexthink

 

CEF

Instructions

NXlog

 

Direct

Instructions

Okta

SSO

Function

Sentinel built-in connector

One Identity

Safeguard

CEF

Sentinel built-in connector

Oracle

Cloud

Custom

build your own using Oracle Cloud API

Oracle

DB

Syslog

Instructions

Orca

 

API

Sentinel built-in connector

Palo Alto

Minemeld

TI (Platform)

Sentinel built-in connector

Palo Alto

PanOS

CEF

Sentinel built-in connector

Palo Alto

Panorama

CEF

Instructions

Palo Alto

Prisma

Syslog

Custom

Instructions, Fields

Logic Apps using a Webhook and clarification

Palo Alto

Traps through Cortex

Syslog

Instructions

Notes:

- Require rsyslog configuration to support RFC5424

- TLS only (requires rsyslog TLS configuration)

- The certificate has to be signed by a public CA

Perimeter 81

 

API

Instructions

Postgress DB Syslog, Windows Event log

Instructions

Proofpoint TAP Function

Sentinel built-in connector

Pulse Connect Syslog

Sentinel built-in connector

Qualys VM Function

Sentinel built-in connector

RedHat OpenShift Syslog
API

Instructions for Syslog
Fluentd Log Analytics plugin for API

RedHat Azure OpenShift Syslog
Custom

Instructions for Syslog
Fluentd Log Analytics plugin for API

RiskIQ   Action (Logic Apps)

Azure Logic-Apps built-in connector

SAP Hana Syslog

Instructions (requires a SAP account)

SentinelOne   CEF

Please consult vendor for instructions

SNMP   Syslog

Instructions

Snort   Syslog

Instructions

SonicWall   CEF

Instructions

Make sure you:
- Select local use 4 as the facility.

- Select ArcSight as the Syslog format.

Sophos Central CEF Insructions. Note that the script provided by Sophos has to be scheduled using a cron job, which is not documented in the reference page.
Sophos XF Firewall Syslog Sentinel built-in connector
Squadra  secRMM API Sentinel built-in connector
Squid Proxy   Syslog Configure access logs with either the TCP of UDP modules. Sentinel's built-in queries use the default log format.

Symantec

DLP

Syslog

CEF

Instructions. Note that only UDP is supported

Instructions. Uses response automation.

Symantec

ICDX

API

Sentinel built-in connector

Symantec

Proxy SG (Bluecoat)

Syslog

Sentinel built-in connector

Symantec   Endpoint Protection Manager- Syslog Instructions  
Symantec Cloud Workload Protection API Instructions
Symantec VIP Syslog Sentinel built-in connector
ThreatConnect  

TI (Platform)

Sentinel built-in connector

ThreatQuotient  

TI (Platform)

Sentinel built-in connector

Trend Micro  

CEF

Using Control Manager

Using LogForwarder

Trend Micro Deep Security

CEF

Sentinel built-in connector

Varonis

DatAlert

CEF

Instructions

Watchgaurd   CEF Instructions
Zimperium  
Mobile Threat Defense API Sentinel built-in connector 
zScaler Internet Access (ZIA) CEF Sentinel built-in connector
zScaler Private Access (ZPA) Logstash Use LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel's native connector. 
Zoom   Custom Using Azure Function. See blog post.

 

47 Comments
New Contributor

Is Azure sentinel planning on Normalising ingested logs? Other players in this space are normalising ingested logs (see Elastic Common Schema) and CEF being a legacy example. Is the Azure Sentinel Team planning on defining a normalised data model for ingested Azure and legacy logs ? This would make querying data sets a lot simpler.

 

At the moment logs are disparately sprayed across different log Analytics workspaces tables (this might be the wrong name):

SignInLogs -- AAD logs

AzureDiagnostics - SQL PaaS logs

SecurityEvent - Windows server logs - Split across windows and

Unix VM logs - Syslog

 

Otherwise if MS team can provide some guidance per Azure service and where the logs are recorded and how you can link or query across these unique Log Analytics tables?

 

Thanks in advance for your assistance. 

 

 

Frequent Visitor

The last two Fortinet links are dead.

Microsoft

@arvkris : fixed. I hope they don't change their links again...

New Contributor

Can a single Syslog/CEF server be used to stream CEF and syslog data sources?

Microsoft

@Chi_Duong : Yes, but it would require direct edit to the agent and syslog daemon configuration files.

 

Update (Dec 26th 2019): You no longer need to directly edit the configuration files:

  1. Install the CEF connector VM using the instructions in the connector page.
  2. Configure the facilities & priorities that you want to get Syslog messages of using Settings -> Workspace Settings -> Advanced Settings -> Data -> Syslog
  3. Make sure that the facility/priority combination used by your CEF source is not configured for Syslog collection

That’s it. If #3 is not doable, we will have to revert to config file editing on the VM.

Frequent Visitor

 

*NOTE* We already have a support case with the vendor (Fortinet) but so far all we've got is "we cannot help you now, we have only tested this out on virtual appliances". *NOTE*

 

Is there any way to change the "default query" of a connector?

 

We have a bunch of physical FortiGate appliances, from whcih logshipping in CEF format to Sentinel works fine (We can see the entries in CommonSecurityLog) but they're not logged as "Fortinet" per se;

 

An example log post:

`Oct 24 14:27:07 DEVICE_HOSTNAME CEF: 0|Fortinet|FortiGate-300E|6.0.5,build0268 (GA)|0000000013|forward traffic close|5|start=Oct 24 2019 14:27:07 logver=60 deviceExternalId=FG....`

 

However, the Fortinet connector says "not connected".

clipboard_image_0.png

 

 

Our guess is because Sentinel is looking for something like this (as one of the example queries):

 

clipboard_image_1.png

... where DeviceProduct == “Fortigate” …
We assume the culprit is that it’s looking for “Fortigate”, not a wildcard “Fortigate*”, and the Fortinet physical appliances report their model as Fortigate-$MODEL.

 

So.. can we somehow change the “default query” for the connector to either search for “Fortigate*” or simply remove the “where DeviceProduct == “Fortigate”” clause completely?

 

Thank you in advance.

 

Microsoft

@arvkris : we are aware of this bug and are working to resolve. As you mentioned, it affects only the connector page.

Regular Visitor

Hi,

 

We have a Fortigate, we can see on TCPDump that logs are received by syslog deamon and forwarded to sentinet agent on port 25226.

On log analytics we see that logs are arriving, with the correct format:

 

0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|3|

 

but the connector of Fortinet isn't showing any received log. 

 

we are facing the same issue as the @arvkris, and we think this is a parsing issue.

 

@Ofer_Shezaf  is this bug that you mention corrected?

Microsoft

@hpinto

 

I think @arvkris's challenge was somewhat different

  • In his case, the second "Fortigate" (bolded in your example) was different and we missed on identifying it as Fortigate.
  • In your case, if I understand correctly, you get the information as CEF rather than parsed in the workspace. 

 

To that end, you see the value "0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|3|" in which field in which table?

 

~ Ofer

Occasional Contributor

Hello,

 

Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ?

I am trying to test it, so far i found the following :

 

1.  Infoblox DNS seems to generate only Threat Logs in CEF. The other logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following:

#<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200)

 

I am not even seeing these logs in the Sentinel Workspace. The logs arrive at the Syslog Agent and get forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere

 

Please advise:

1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them  ?

2. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into ?

3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? the thing is all such vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having an xx vendor connector"

 

Thanks in advance.

 

Microsoft

@majo1 :

 

First to your specific challenge: since the events are Syslog, they require setting up the Syslog connector rather than, or in addition to, the CEF connector. As things are now, the Syslog messages are rejected.

 

To have a single connector VM support both CEF and Syslog:

  1. Install the CEF connector VM using the instructions in the connector page (the new procedure in case yours was setup before October).
  2. Configure the facilities & priorities that you want to get Syslog messages of using Settings -> Workspace Settings -> Advanced Settings -> Data -> Syslog
  3. Make sure that the facility/priority combination used by your CEF source is not configured for Syslog collection

 

That’s it. If #3 is not doable, we will have to revert to config file editing on the VM.

 

As to your question:

  • You will need custom parsers as described in the custom connector blog post.
  • A troubleshooting script is available for CEF. For Syslog I suggest working with support.
  • Having a connector listed in the connector page implies parsing, however most of them are CEF, which means parsed as sent. This does not hold true for the list here.
Regular Visitor

Hi @Ofer_Shezaf 

 

In our case our Fortigate send syslog message in CEF Format, we have installed Azure Onboard Agent and CEF Connector on Linux Machine.

 

On Log Analytics, we can see that the Fortigate logs are arraiving.

 

Syslog Message: 0|Fortinet|Fortigate|v6.2.0|00013|traffic:forward deny|

Facility: local4

Process Name: CEF

Type: syslog

 

When we go to Data Connectors (Fortinet) we din't see anything last receiving log, on CEF Connector either too.

 

THis is the only device that we send syslog with CEF Format.

Microsoft

@hpinto : 

 

I assume you also enabled, or at least modified the Syslog facilities as described in my response to @majo1 above. If the facilities include local4, you will receive the CEF message *also* in the Syslog table. To avoid this you need to make sure that CEF events use a facility which is not configured for Syslog. for Fortinet use:

config log settings
set facility <facility_name>
end

 

This still leaves the question of why you did not get a CEF copy. Did you go through the steps here: https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format#step-3-validate-connecti...?

Regular Visitor

Hi @Ofer_Shezaf 

 

Yes we did that seps on CEF connector, this is why we comment post, because we can't put the CEF working, its frustanting, because we OMS Agent says that collects logs on 25256.

 

The events are observed by the CEF Troubleshooter.

 

Security-config-omsagent.conf contains rsyslog.d routing configuration
rsyslog daemon configuration was found valid.
Trying to restart syslog daemon
Restarting rsyslog daemon - 'sudo service rsyslog restart'
Redirecting to /bin/systemctl restart rsyslog.service
rsyslog daemon restarted.
This will take a few seconds.
Omsagent restarted.
This will take a few seconds.
Incoming port grep: 0.0.0.0:514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*

Daemon incoming port 514 is open
Incoming port grep: 25226
tcp 0 0 127.0.0.1:25226 0.0.0.0:* LISTEN

Omsagent is listening to incoming port 25226
Validating CEF\ASA into rsyslog daemon - port 514
This will take 60 seconds.
sudo tcpdump -A -ni any port 514 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:50.745647 IP (tos 0x0, ttl 64, id 55478, offset 0, flags [DF], proto TCP (6), length 1335)
10.35.72.145.13129 > 10.35.72.147.shell: Flags [P.], cksum 0x7dcb (correct), seq 24964634:24965917, ack 15089686, win 229, options [nop,nop,TS val 1370415842 ecr 324117405], length 1283
E..7..@.@...
#H.
#H.3I...|....@.....}......
Received CEF\ASA message in daemon incoming port.[514]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 514 -vv'
Fetching CEF messages from daemon files.

 

Then we need to add to the DataConnectos -> syslog -> add syslog facility, or otherwise the log don't appear the message on logAnalytics.

 

On Fortinet we can only specified facility as syslog, alert, auth, kernel and Local0, etc... we have specified the facility Syslog facility.

 

This is a parsing issue, because the message is send is syslog, and sentinel read the CEF, and map as Process Name: CEF.

 

But on data connectors we din't see any green connector to CEF or Fortinet.

 

 

 

Regular Visitor

My mistake i din't attach the tcpdump of OMS Agent:

 

udo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:58.743394 IP (tos 0x0, ttl 64, id 61856, offset 0, flags [DF], proto UDP (17), length 904)
127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0188 -> 0x84d8!] UDP, length 876
Received CEF message in agent incoming port.[25226]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 25226 -vv'

 

on logs analytics we can only see message when we put data connector facility as syslog, other wise we din't see nothing as Syslog message os CEF Message.

 

Here is a TCP Dump 

 

127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0138 -> 0xbaba!] UDP, length 796
E..8v.@.@..0.........sb..$.8<190>Dec 26 16:04:23 xxxx-xxx CEF: 0|Fortinet|Fortigate|v6.2.0|28704|utm:app-ctrl app-ctrl-all 

 

on logs analytics

 

ProcessName: CEF

SyslogMessage: 0|Fortinet|Fortigate|v6.2.0|0001

Facility: Syslog

 

Witch facility did MS recommend for this to work?

Microsoft

@hpinto : I think that a support ticket might be a better option to resolve this. One thing I did notice in the data you sent is that it seems that rsyslog forwards on UDP 25226 while the default (new) configuration for the OMS agent is to listen to TCP 25226.

Occasional Contributor

 

 

Microsoft

@majo1 : your comment came out empty.

Occasional Visitor
Hey Ofer, Is there any way to change the OMS agent to listen for syslog traffic on a different port ie;6514 for syslog-TLS I can't seem to find the configuration change for that even after configuring my rsyslog.conf file to listen on that port and recieve packets. Any ideas? Thanks, US
New Contributor

@Ofer_Shezaf going back to the dual CEF/Syslog server. How should the configuration files look? (assuming rsyslog)

security-config-omsagent.conf - should they have both entries for syslog / cef?

local4.debug @127.0.0.1:25226         (should this be over 25224 for syslog?)

:rawmsg, regex, "CEF\|ASA" ~
*.* @@127.0.0.1:25226"

 

security_events.conf - should this have both entries for syslog / cef as well?'

syslog:

<source>
type syslog
port 25224
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>

cef:

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>

 

Thanks in advance,

Chi

Microsoft

@UnixStricken : I would modify the install script by changing daemon_default_incoming_port to your desired port.

Occasional Contributor

@Ofer_Shezaf We can't get the omsagent to accept syslog messages from Meraki, getting "pattern not match" errors in omsagent.log. It appears that the agent is attempting to match <ident> to "CEF" or "ASA". If we exclude the <ident> part of the regex we get a nil error, if we choose anything else in the log message as <ident> we get an error saying "failed to find ident: {string}". Do you have any idea how we can get the omsagent to accept the raw syslog messages? We can't find any clear documentation regarding this unfortunately...

 

Many thanks in advance!

Microsoft

@wadstromdev : I think that the events are treated as CEF events, i.e. sent to port 25226 instead of 25224 by the Syslog daemon. I suggest opening a support ticket to help resolve this configuration issue.

Senior Member

How do we normalize these logs? No documentation on a very important topic.

Microsoft

Hi @josephabraham : This would depend on the source. CEF sources are parsed and normalized at the source. For Syslog sources, see the section on parsing in the custom connectors blog post.

Occasional Contributor

The McAfee ePO "Instructions" link 404s, this link should fix it "https://docs.mcafee.com/bundle/epolicy-orchestrator-5.9.x-product-guide/page/GUID-5C5332B3-837A-4DDA..."

 

The Okta Logstash input has been deprecated and replaced by a newer version using the System Log API (written by the same author) - https://rubygems.org/gems/logstash-input-okta_system_log

 

Can also add Algosec:

Vendor

Product

Connector

Information

Algosec

ASMS

CEF

AFA instructions

FireFlow instructions

 

 

Microsoft

Thanks @pemontto for the updates! post updated.

Senior Member

Is there a Workday integration in progress ?

Established Member

New to Sentinel, but see Juniper firewalls are a notable omission, is everyone just using CEF?

Occasional Visitor

I am trying to integrate Trend micro Inter message scan which does not have default data connector for sentinel, while configuring syslog for trend micro still data not sent to Azure log analytics work space for Sentinel.

 

Log forwarder deployed on-prem configured as per MS guidance for syslog and cef on same machine, please guide what could be next step bcz using same server Cisco and Paloalto log forwardin working Fine.

 

Guidance will be really appreciated.  

Microsoft

@Shoaib365 : since this issue is bound to require deeper look into your system I think that a support ticket is the best route.

New Contributor

I see that SentinelOne says "Please consult vendor for instructions," so I've reached out to support.  Is there anyone who is using ingesting from SentinelOne's EDR into Azure Sentinel that would be able to discuss what you are seeing and any workflows you may have behind it?  Thanks!

Occasional Contributor
On Sentinel console we can see number of connectors available increased to 54.
can you also update this list here as well. Do we have SAP log supported and connectors for Vulnerability solution like Nessus, Qualys 
Microsoft

@Dev_Choudhary : list updated. Qualyis is already there in the 54.... We are looking into SAP And Nessus but do not have an ETA.

Occasional Contributor

great content @Ofer_Shezaf  have shared with my LinkedIn Network

Occasional Contributor

Thanks @Ofer_Shezaf 

New Contributor

Hi again @Ofer_Shezaf 
I may be missing something obvious here but how does the IronPort Instructions link which points to the Splunk implementation of the Cisco WSA, help with integrating IronPort to Sentinel?   

CiscoIronPort Web Security ApplianceSyslog

Instructions

Regards - Col.

Microsoft

@Col_Sanders : Thanks for pointing this out. I am not sure whether the Splunk page has changed or that I was hallucinating in the first place. Anyways, I updated it to a Cisco documentation page.

Occasional Contributor

Do we have Sentinel connector for Juniper and Box in pipeline.

Microsoft

@Dev_Choudhary : Juniper supports Syslog. I have now added it to the list above. Box would require a custom connector. A a workaround see: 

Ingest Box.com activity events via Microsoft Cloud App Security into Azure Sentinel

Occasional Contributor

Thanks @Ofer_Shezaf  for your response.

For Box, I can use Logstash to retrieve and send event to Sentinel. 

For Juniper can you please confirm is it directly supported or do we need to first configure rsyslog to get and write events to a file and than configure OMS agent to read this file.

Also if it directly supported can we expect it will also do parsing ?

Senior Member

@Ofer_Shezaf Any plans to make syslog integration easier using an agent alone and removing the need for a syslog server.

 

"If you want to send data from a TCP or UDP source such as syslog, use the Splunk Universal Forwarder to listen to the source and forward the data to your Splunk Cloud deployment."

https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-a-Splunk-Heavy-Forwarder-send-data-vi...

 

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/UsingforwardingagentsCloud#Use_a_Uni...

 

Would make life a bit easier :)

Senior Member

We seem to be having problems with FTD integrations in Sentinel. We are receiving Syslog message in Azure Sentinel but we do not seem to be able to parse it. Also the using Estreamer Encore link does not seem to work.

Occasional Visitor

Does MS has any plans or in the roadmap support for Sybase database ? We have a requirement to forward application logs residing in Sybase to Sentinel, any way we can achieve this ? 

In past this used to work by using ArcSight flex connector, is there a similar framework that can be used. 

Frequent Visitor

Hi @Ofer_Shezaf,

Is there a way to send Ubuntu Auth.log data to Azure Sentinel? 

Regards,

Muhammad

 

 

Occasional Contributor

@m-waqar have you configure your OMS agent to read auth.log file (from Azure Sentinel, Workspace Setting --> Advanced setting --> Data --> Syslog)

 

Dev_Choudhary_0-1602148960176.png

 

 

 

Occasional Visitor

Surely I'm missing the obvious, but where is Microsoft ATP? How does Sentinel collect the events from the endpoints armed with WD ATP, and how the Azure ATP or Office 365 ATP communicate with Sentinel? 

And last but not least - is Microsoft ATA supported log source, or is it too old or too non-cloud? ;)