Sources and parsers

What does ’supported’ mean

The concept of normalization is important for searching all events. Normalization is the process of extracting key: value pairs.
This is necessary for both basic operations and advanced techniques such as AI and DL.

Why is normalization important?

“Find all events by admin_west”. The specificity of SIEM is that hundreds of different types of sources are connected to the system. Somewhere in the events comes user_name, where is the user, where in general the necessary field is contained in the text blob. As a result, without normalizing the request to the event database will be either too long and heavy, or you will receive only a part of the events.

List of main supported sources

  • MS Windows 2000
  • MS Windows 2003
  • MS Windows XP
  • MS Windows 7/8/2008
  • MS Windows 2012
  • MS Exchange 2007/2010/2013 (Txt logs + MS Exchange Management event log + RCA Client logs)
  • MS IIS (w3c)
  • MS DHCP Server
  • MS SCCM (через MS SQL БД)
  • Group-ib Bot-Trek TDS (cef, json)
  • PaloAlto (CEF, LEEF)
  • vGate
  • Linux/Unix/BSD/Suse syslog
  • Mac OS over syslog
  • Squid
  • Apache web server over syslog
  • Nginx over syslog
  • Vsftpd over syslog
  • Mysql over syslog
  • Dovecot over syslog
  • Postfix over syslog
  • Bluecoat
  • Suricata (syslog+CEF)
  • SNORT (syslog)
  • Bro-ids
  • Checkpoint
  • Cisco ASA любые
  • Cisco PIX любые
  • Cisco catalyst
  • Cisco FW любые
  • Cisco WLC
  • Cisco WSA
  • Cisco IPS
  • Cisco Email Security Appliance (ironport)
  • Cisco ASA Firepower
  • TrendMicro Control Manager (CEF syslog)
  • TrendMicro Proxy IWSVA (syslog)
  • Kaspersky
  • Symantec (over MS SQL)
  • СКУД Сфинкс
  • СКУД Интеллект
  • СКУД RusGuard
  • Stonegate Stonesoft
  • VmWare Esx 5.1, 5.5
  • Safeinspect (syslog plain/CEF)
  • SecretNet
  • Fortine tFortigat
  • Fortinet Fortianalyzer (syslog)
  • 1С 8.2
  • AlgosecFW Analyzer
  • CEF syslog — any sources
  • Syslog (tcp/udp) — any sourced
  • Syslog TLS
  • SDEE (http/https)
  • EtherStat Microolap Technologies
  • InfoTecs IDS
  • Код безопасности Infowatch Traffic Monitor Forcepoint Firewall 6x (LEEF).
  • RNT Forpost monitoring
  • McAfee Web Gateway (syslog)
  • McAfee Email Gateway (syslog, CEF, splunk)
  • McAfee Firewall (LEEF)
  • McAfee IPS (LEEF, CEF)
  • McAfee GTI (global threat exchange) parser splunk format
  • DallasLock
  • gitolite over syslog
  • postfix over syslog
  • dovecot over syslog
  • fail2ban over syslog

List of supported transports

  • Microsoft Windows standard event logs (System/Applications/Security)
  • Microsoft Windows custom event logs
  • Microsoft Windows applications event logs
  • Microsoft Windows softwares list
  • Microsoft Windows patches list
  • Microsoft Windows WMI command (get answer to events)
  • Hasher for Windows (get processes, its hashes to events)
  • ms evt and wmi transport
  • Microsoft SQL (tables, views) — any logs
  • Oracle — any logs, Oracle Audit trail
  • MySQL (tables, views)
  • Cisco SDEE
  • Checkpoint LEA
  • File — log files over network shares
  • Ftp — logs into ftp servers
  • Syslog plain
  • Syslog TLS
  • Syslog CEF
  • Syslog LEEF

This is not a complete list. Have questions? Contact us!

What if there is no source in the list of supported?

We are constantly expanding the list of supported sources. Priorities depend on our customers. There are no problems and difficulties to add new sources and parsers.

If there is no source in the supported list, please contact, we will help you.