What does 'supported' mean
The concept of normalization is important for searching all events. Normalization is the process of extracting key: value pairs.
This is necessary for both basic operations and advanced techniques such as AI and DL.
Why is normalization important?
"Find all events by admin_west". The specificity of SIEM is that hundreds of different types of sources are connected to the system. Somewhere in the events comes user_name, where is the user, where in general the necessary field is contained in the text blob. As a result, without normalizing the request to the event database will be either too long and heavy, or you will receive only a part of the events.
- List of main supported sources
MS Windows 2000
MS Windows 2003
MS Windows XP
MS Windows 7/8/2008
MS Windows 2012
MS Exchange 2007/2010/2013 (Txt logs + MS Exchange Management event log + RCA Client logs)
MS IIS (w3c)
MS DHCP Server
MS SCCM (через MS SQL БД)
Group-ib Bot-Trek TDS (cef, json)
PaloAlto (CEF, LEEF)
Mac OS over syslog
Apache web server over syslog
Nginx over syslog
Vsftpd over syslog
Mysql over syslog
Dovecot over syslog
Postfix over syslog
Cisco ASA любые
Cisco PIX любые
Cisco FW любые
Cisco Email Security Appliance (ironport)
Cisco ASA Firepower
TrendMicro Control Manager (CEF syslog)
TrendMicro Proxy IWSVA (syslog)
Symantec (over MS SQL)
VmWare Esx 5.1, 5.5
Safeinspect (syslog plain/CEF)
Fortinet Fortianalyzer (syslog)
CEF syslog - any sources
Syslog (tcp/udp) - any sourced
EtherStat Microolap Technologies
Infowatch Traffic Monitor
Forcepoint Firewall 6x (LEEF).
RNT Forpost monitoring
McAfee Web Gateway (syslog)
McAfee Email Gateway (syslog, CEF, splunk)
McAfee Firewall (LEEF)
McAfee IPS (LEEF, CEF)
McAfee GTI (global threat exchange) parser splunk format
gitolite over syslog
postfix over syslog
dovecot over syslog
fail2ban over syslog
- List of supported transports
- Microsoft Windows standard event logs (System/Applications/Security)
- Microsoft Windows custom event logs
- Microsoft Windows applications event logs
- Microsoft Windows softwares list
- Microsoft Windows patches list
- Microsoft Windows WMI command (get answer to events)
- Hasher for Windows (get processes, its hashes to events)
- ms evt and wmi transport
- Microsoft SQL (tables, views) - any logs
- Oracle - any logs, Oracle Audit trail
- MySQL (tables, views)
- Cisco SDEE
- Checkpoint LEA
- File - log files over network shares
- Ftp - logs into ftp servers
- Syslog plain
- Syslog TLS
- Syslog CEF
- Syslog LEEF
This is not a complete list. Have questions? Contact us!
What if there is no source in the list of supported?
We are constantly expanding the list of supported sources. Priorities depend on our customers. There are no problems and difficulties to add new sources and parsers.
If there is no source in the supported list, please contact, we will help you.