Skip to main content

What does 'supported' mean

The concept of normalization is important for searching all events. Normalization is the process of extracting key: value pairs.
This is necessary for both basic operations and advanced techniques such as AI and DL.

Why is normalization important?

"Find all events by admin_west". The specificity of SIEM is that hundreds of different types of sources are connected to the system. Somewhere in the events comes user_name, where is the user, where in general the necessary field is contained in the text blob. As a result, without normalizing the request to the event database will be either too long and heavy, or you will receive only a part of the events.

List of main supported sources

MS Windows 2000
MS Windows 2003
MS Windows XP
MS Windows 7/8/2008
MS Windows 2012
MS Exchange 2007/2010/2013 (Txt logs + MS Exchange Management event log + RCA Client logs)
MS IIS (w3c)
MS DHCP Server
Group-ib Bot-Trek TDS (cef, json)
PaloAlto (CEF, LEEF)
Linux/Unix/BSD/Suse syslog
Mac OS over syslog
Apache web server over syslog
Nginx over syslog
Vsftpd over syslog
Mysql over syslog
Dovecot over syslog
Postfix over syslog
Suricata (syslog+CEF)
SNORT (syslog)
Cisco ASA любые
Cisco PIX любые
Cisco catalyst
Cisco FW любые
Cisco WLC
Cisco WSA
Cisco IPS
Cisco Email Security Appliance (ironport)
Cisco ASA Firepower
TrendMicro Control Manager (CEF syslog)
TrendMicro Proxy IWSVA (syslog)
Symantec (over MS SQL)
СКУД Сфинкс
СКУД Интеллект
СКУД RusGuard
Stonegate Stonesoft
VmWare Esx 5.1, 5.5
Safeinspect (syslog plain/CEF)
Fortine tFortigate
Fortinet Fortianalyzer (syslog)
1С 8.2
AlgosecFW Analyzer
CEF syslog - any sources
Syslog (tcp/udp) - any sourced
Syslog TLS
SDEE (http/https)
EtherStat Microolap Technologies
InfoTecs IDS
Код безопасности
Infowatch Traffic Monitor
Forcepoint Firewall 6x (LEEF).
RNT Forpost monitoring
McAfee Web Gateway (syslog)
McAfee Email Gateway (syslog, CEF, splunk)
McAfee Firewall (LEEF)
McAfee GTI (global threat exchange) parser splunk format
gitolite over syslog
postfix over syslog
dovecot over syslog
fail2ban over syslog

List of supported transports
  • Microsoft Windows standard event logs (System/Applications/Security)
  • Microsoft Windows custom event logs
  • Microsoft Windows applications event logs
  • Microsoft Windows softwares list
  • Microsoft Windows patches list
  • Microsoft Windows WMI command (get answer to events)
  • Hasher for Windows (get processes, its hashes to events)
  • ms evt and wmi transport
  • Microsoft SQL (tables, views) - any logs
  • Oracle - any logs, Oracle Audit trail
  • MySQL (tables, views)
  • Cisco SDEE
  • Checkpoint LEA
  • File - log files over network shares
  • Ftp - logs into ftp servers
  • Syslog plain
  • Syslog TLS
  • Syslog CEF
  • Syslog LEEF

This is not a complete list. Have questions? Contact us!

What if there is no source in the list of supported?

We are constantly expanding the list of supported sources. Priorities depend on our customers. There are no problems and difficulties to add new sources and parsers.

If there is no source in the supported list, please contact, we will help you.