SEM connectors
SEM connectors intercept events sent from a specific product in your network and convert these events into normalized messages that SEM can understand.
See Collect and normalize event data using SEM connectors for details on how to apply a SEM connector update package and set up the SEM connectors.
SEM connector categories
Listed below are the categories of network security products that can connect to SEM. Click a category to review all current connectors available for the selected category. See SEM connector categories for a description of each category.
Jump to: Anti-Virus | Application | Application Switch | Data Loss Prevention | Database | E-Mail | File Transfer and Sharing | Firewalls | IAM | IDS and IPS | Manager | Network Access Control | Network Management | Network Services | Operating Systems | Physical Infrastructure | Proxies/Content Filters | Routers/Switches | Security and UTM | Storage | System Scan Reporters | VPN and Remote Access | WebServer
Anti-Virus | <return to top> |
---|---|
AMaViS | Collects syslog events from AMaViS. This product is a mail virus scanner that filters spam. Typically used in conjunction with the ClamAV connector. |
AVG 7.5 Network | |
AVG DataCenter 7.5 | |
AVG DataCenter 8.0 | |
Bromium virtualization-based security catches | Bromium virtualization-based security catches. |
ClamAV | Collects events from devices where the Clam AV application has been deployed. |
Command Antivirus for Windows | |
Command for Exchange Server | |
Cylance-Next Generation Anti-Virus | Cylance-Next Generation Anti-Virus. |
ESET NOD32 syslog | Collects syslog events from ESET NOD32 Server. |
Enhanced Mitigation Experience Toolkit (EMET) |
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that the vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform. |
Eset Remote Administrator | Connector for Eset Remote Administrator. |
F-Secure Anti-Virus 7 | |
F-Secure Policy Manager Server 10 | Collects F-Secure events from the Policy Manager Server H2 embedded database. |
F-Secure syslog | Collects events from the F-Secure syslog. |
Forefront Endpoint Protection - AV | |
Forefront Security Application Log (Client Security, Exchange and Sharepoint) | |
Forefront Security SQL Database | |
Forefront Security System Log (Client Security) | |
FreshClam |
Collects events from devices using FreshClam to updated ClamAV. It is recommended that this connector is used in conjunction with the ClamAV connector. |
Group Shield/Outbreak for Exchange Server | |
InoculateIT 6.0 | |
InoculateIT 7.0+ | |
Kaspersky Administration Kit 8 | |
Kaspersky Administration Kit 8 - Extended version | |
Kaspersky Anti-Virus 10 | |
Kaspersky Anti-Virus 6 | |
Kaspersky Endpoint Security 11 | |
Kaspersky Security Center | |
Kaspersky Security Center - Extended | |
Kaspersky events via Windows EventLog | |
Malware Bytes Management Console | Malware Bytes Management Console. |
Malware Bytes non-syslog | Malware Bytes connector non-syslog, protection-log-yyyy-mm-dd, protection-log-yyyy-mm-dd.xml. |
Malware bytes syslog | Malwarebytes protects you against malware, ransomware, and other advanced online threats. |
McAfee Access Protection | |
McAfee Activity Log (4.5 DAT file update) | |
McAfee Mail Scan | |
McAfee NetShield | |
McAfee On Access Scan v7.0 | |
McAfee Total Protection | |
McAfee Update v7.0 | |
McAfee VSC | |
McAfee VSH 5.0/7.0 | |
McAfee VSH 80i | |
McAfee VSH 85i | |
McAfee VSH Home | |
McAfee Web Email Scan | |
Microsoft Security Essentials | |
Microsoft Windows Defender-Operational |
Microsoft Windows Defender is an anti-malware application that identifies and removes viruses, spyware, and other malicious software. To enable, a new key called Microsoft-Windows-Windows Defender/Operational needs to be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Defender-Windows Health Center |
Microsoft Windows Defender is an anti-malware application that identifies and removes viruses, spyware, and other malicious software. To enable, a new key by the name of Microsoft-Windows-Windows%20Defender/WHC must be added to the following registry entry:
See this KB article for an example implemented on a different connector. If there are issues, delete ' |
NOD32 Antivirus 4 Access Event | |
NOD32 Antivirus 4 Access Scan | |
NOD32 Antivirus 4 Access Threat | |
NOD32 Antivirus 4 SQL Event | |
NOD32 Antivirus 4 SQL Scan | |
NOD32 Antivirus 4 SQL Threat | |
NOD32 Antivirus 5 Access Event | Collects NOD32 5 Event events from the ESET Remote Administrator MS Access database. |
NOD32 Antivirus 5 Access Firewall | Collects NOD32 5 Firewall events from the ESET Remote Administrator MS Access database. |
NOD32 Antivirus 5 Access Scan | Collects NOD32 5 Scan events from the ESET Remote Administrator MS Access database. |
NOD32 Antivirus 5 Access Threat | Collects NOD32 5 Threat events from the ESET Remote Administrator MS Access database. |
NOD32 Antivirus 5 SQL Event | Collects NOD32 5 Event events from the ESET Remote Administrator SQL database. |
NOD32 Antivirus 5 SQL Firewall | Collects NOD32 5 Firewall events from the ESET Remote Administrator SQL database. |
NOD32 Antivirus 5 SQL Scan | Collects NOD32 5 Scan events from the ESET Remote Administrator SQL database. |
NOD32 Antivirus 5 SQL Threat | Collects NOD32 5 Threat events from the ESET Remote Administrator SQL database. |
Palo Alto Traps | Palo Alto ESM Endpoint Security Manager, Anti-Virus. |
Panda Security for Desktops 4.02 | |
Sophos Anti-Virus SNMP | |
Sophos Anti-Virus for Win2k | |
Sophos Enterprise 2.0 Database | |
Sophos Enterprise 3.0 Database | |
Sybari's Antigen 7.0 for Exchange Server 2000 | |
Symantec Corp Antivirus | |
Symantec Endpoint Protection 11 | Collects events from Symantec Endpoint Protection versions 11 and later. |
Symantec Endpoint Protection Small Business Edition - Application logs | Symantec Endpoint Protection Small Business Edition - Application logs. |
Symantec Endpoint Protection Small Business Edition - own logs |
To enable, a new key called 'Symantec Endpoint Protection Client must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Symantec Protection Engine | Symantec Protection Engine. |
Trend IMSS | |
Trend IMSS Policy | |
Trend IMSS Virus | |
Trend InterScan | |
Trend Micro Control Manager | Covers logs from Trend Micro Control Manager and Trend Micro Apex Central (including Apex One). |
Trend Office Scan | |
Trend ScanMail | |
Trend Server Protect | |
VIPRE 5.0 | |
VIPRE Business - System Events 4.0 | |
VIPRE Business 4.0 | |
VIPRE Enterprise 3.1 | |
Webroot Antispyware Corporate Edition 3.5 | |
eEye Blink Professional Endpoint Protection | |
Application | <return to top> |
.Net Syslog Client | Net Syslog client. Supports both RFC 3164 and RFC 5424 Syslog standards, as well as UDP and encrypted TCP transports. |
Application and Services Logs - CertificateServicesClient-Lifecycle-System |
Application and Services Logs - CertificateServicesClient-Lifecycle-System. To enable, a new key called Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Application and Services Logs - CertificateServicesClient-Lifecycle-User |
Application and Services Logs - CertificateServicesClient-Lifecycle-User. To enable, a new key called Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Atlassian JIRA | |
BST Enterprise | Collects events from BST Enterprise. |
BST Enterprises | BST Enterprises - Business software solution for Accounting. |
BlueEye |
Blue Eye Video management system. To enable, a new key called Raytheon Blue Eye must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Bomgar Appliance | Collects events from Bomgar remote support appliance. |
Bunyan Admin/DS Logging | Bunyan logging system for our NODE.JS application. |
Call Copy |
Records the calls and screen of the call center agents. |
Cimcor CimTrak via syslog | Cimcor CimTrak is a file integrity monitoring solution. |
Citrix StoreFront Delivery Services | Manages the delivery of desktops and applications from XenApp and XenDesktop servers and XenMobile servers in the data center to user devices. |
Cron Service | Gathers messages from the Cron daemon service. |
DAXMonitor- Demand AnalytX monitor | Logs to the windowsappliance logs. |
Dell AppAssure | Dell AppAssure reliably backs up, replicates, verifies and restores data. |
Dell Quest Rapid Recovery (AppAssure Logs) |
Dell Quest Rapid Recovery (AppAssure Logs) - Rapid Recovery backup and restore appliance. To enable, a new key called AppAssure needs to be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Dell Quest Rapid Recovery (Dell Logs) |
Dell Quest Rapid Recovery (Dell Logs) - Rapid Recovery backup and restore appliance. To enable, a new key called Dell needs to be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Dell Quest Rapid Recovery (Quest Logs) |
Dell Quest Rapid Recovery (Quest Logs) - Rapid Recovery backup and restore appliance. To enable, a new key called Quest needs to be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Denyhosts | Gathers events from the Sourceforge Denyhosts script. |
Directory Synchronization | |
Epic | Electronic Health Records System. |
FactoryTalk View | A versatile HMI application that provides a dedicated and powerful solution for machine-level operator interface devices. |
Flex Teller | |
Hitachi JP1 Job Management Partner 1 / Automatic Job Management System | Collects Hitachi JP1 Job Management Partner 1 / Automatic Job Management System 3 messages. |
Hitachi JP1 Job Management Partner 1/Base | Collects Hitachi JP1 Job Management Partner 1/Base messages. |
Honeyd Virtual Honeypot | Gathers messages from the Honeyd daemon. |
HuaweiNCE | Collects events from Huawei NCE devices. |
Hyland Workflow Timer Service |
Hyland Workflow Timer Service Administration is administrative interface for managing core based workflow timers. To enable, a new key by the name of Hyland must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-Hypervisor-Operational |
To enable, a new key called Microsoft-Windows-Hyper-V-Hypervisor-Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-Integration-Admin |
To enable, a new key called Microsoft-Windows-Hyper-V-Integration-Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-SynthNic-Admin |
To enable, a new key called Microsoft-Windows-Hyper-V-SynthNic-Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-VMMS-Admin |
To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-VMMS-Networking logs |
Hyper-V-VMMS-Networking windows event log coverage To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Networking must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-VMMS-Operational |
HyperV-VMMS-Operational. To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
HyperV-Worker-Admin |
To enable, a new key called Microsoft-Windows-Hyper-V-Worker-Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
IBM RACF and DB2 Syslog | Collects syslog events from devices running RACF and DB2. |
IBM RACF messages | Collects events from devices running RACF. |
JBoss Logging (MM/dd/yyyy HH:mm:ss) |
JBoss is a module for Java that performs website programming. This connector covers logs that have the following date/time format: MM/dd/yyyy HH:mm:ss |
JBoss Logging ISO8601 (yyyy-MM-dd HH:mm:ss) |
JBoss is a module for Java that performs website programming. This connector covers logs that have the following date/time format: ISO8601 yyyy-MM-dd HH:mm:ss |
Linux YUM | |
Log4Net | |
Log4j | Collects Events from Log4j Applications. |
Luminis Access | Web Servers (portals). |
Luminis cp | Web Servers (portals). |
Made2Manage | |
ManageEngine Password Manager Pro | Stores and manages sensitive information. |
Meditech | Collects application access, configuration and user monitoring events from devices running Meditech software. |
Meditech EMR Access Log | |
Microsoft Lync |
Microsoft Lync is an enterprise-ready unified communications platform. To enable, a new key called Lync%20Server must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows AppLocker- EXE and DLL |
To enable, a new key called Microsoft-Windows-AppLocker/EXEandDLL must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows AppLocker- MSI and Script |
To enable, a new keycalled Microsoft-Windows-AppLocker/MSIandScript must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Failover Clustering (HyperV Cluster) logs |
Microsoft Windows Failover Clustering (HyperV Cluster) log coverage To enable, a new key called Microsoft-Windows-FailoverClustering/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
NetwrixAuditor | Covers Netwrix Auditor Integration API logs in Microsoft Windows Event format. |
OnBase enterprise information platform |
OnBase enterprise content services platform managing content, processes, and cases. To enable, a new key called OnBase%20Log must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Oracle Hyperion FM log | Collects Windows Events from the Oracle Hyperion Financial Management Application. |
Oracle Linux messages log | Oracle Linux messages log. |
Oracle WebLogic Server 12c |
Oracle WebLogic Server 12c is a Java EE application server. The logLocation is dependent on Server Name. It must be changed when creating a new connector. |
PowerShell | An automation platform and scripting language for Windows and Windows Server operating systems. |
PowerShell 5.0 |
Extra logging for PowerShell 5.0. To enable, a new key called Microsoft-Windows-PowerShell/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Print Services for Windows 7/2008(Admin) |
Print Services help to share printers on a network and centralize print server and network printer management tasks. To enable, a new key called Microsoft-Windows-PrintService/Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Print Services for Windows 7/2008(Operational) |
Print Services helps to share printers on a network and centralize print server and network printer management tasks. To enable, a new key called Microsoft-Windows-PrintService/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
QCSI Application Log data | |
QCSI Data Logs | |
QCSI System Logs | |
Rohde and Schwarz CyberSecurity | Covers Rohde and Schwarz Cyber Security logs. Supports RFC 5424 standard. |
Salient Commercial Solutions | Provides agile solutions and security for IBM, Insurance, and Mortgage domains. |
Savant Protection | Collects application-specific events from devices with Savant Protection installed on them. |
Shibboleth IDP warn logs | Shibboleth IDP warn logs. |
Subnet POWER SYSTEM - AccessServer, ApplicationServer, DataServerSQL, ApplicationServerSharePoint | |
Syslog-ng | A separate connector for syslog-ng internal events. |
Toshiba devices | Collects events from Toshiba printer and multifunction digital imaging systems. |
Verint | Provides software and hardware products for customer engagement management, security, surveillance, and business intelligence. |
Wescom Resources Group's Host Gateway Windows Log | |
Windows Active Directory Federation Services |
Windows ADFS logs to different locations. To enable, logLocation should be changed to match Log Name in the Event Viewer. A new key with the name same as logLocation must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Windows Active Directory Federation Services, Auditing | |
Windows DHCP Server 2000/2003/2008 event Log(Admin) | |
Windows DHCP Server 2000/2003/2008 event Log(Operational) |
To enable, a new key called Microsoft-Windows-Dhcp-Server/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Windows Secure Envoy Log | Windows Secure Envoy log - authentication |
Windows Setup Log |
To enable, a new key called Setup must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
db2diag local file non-syslog | db2diag local file non-syslog |
vCenter vpxd 6.0 logs | A piece of software, for software, hardware and applications for visualization Platform. |
Application Switch | <return to top> |
Cisco Content Services Switch | Collects events from Cisco Content Services Switches. |
Citrix Secure Access Gateway Enterprise Appliance / Netscaler | Collects events about application access, configuration, and user monitoring from Netscalers. |
ConSentry Controller | Collects events from ConSentry switches. |
Coyote Point Equalizer | Collects events from the Coyote Point Equalizer server load balancing appliance. |
F5 BigIP BSD daemon messages | Collects events about services running on F5 appliances. |
F5 BigIP HTTPD specific | Collects web traffic events (primarily HTTP errors and warnings) from F5 appliances. |
F5 BigIP messages | Collects authentication and service-related events on the F5 appliances. |
F5 General BIG-IP specific messages | Collects events specific to local traffic manager(LTM) and Application Security Manager(ASM) on the F5 appliances. |
FireProof | Collects events from FireProof application switches. |
LinkProof | Collects device information and connection events from LinkProof switches. |
Nortel Alteon | Collects events from Nortel Alteon application switches. |
Radware AppDirector | |
Data Loss Prevention | <return to top> |
Bit9 Parity v5+ Syslog | Collects events generated by the Bit9 Parity application control suite. |
CodeGreen Content Inspection | Collects content-related events generated from devices where Code Green is deployed. Should also enable the Code Green Content Inspection User connector. |
CodeGreen Content Inspection user | Collects events about creating and deleting users, connecting to LDAP, and settings changes from devices where Code Green is deployed. Should also enable the Code Green Content Inspection connector. |
DeviceLock Audit | |
DeviceLock Events | |
EMC RecoverPoint | Collects authentication and device management events from RecoverPoint and RecoverPointSE appliances. |
FileSure | |
Forcepoint TRITON AP-DATA | Collects events from Forcepoint/Websense TRITON AP-DATA and Forcepoint DLP. |
Microsoft Backup Operational logs |
To enable, a new key called Microsoft-Windows-Backup/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Data Protection Backup manager |
To enable, a new key called DPM Backup Events must be added to the following registry entry: See this KB article for an example implemented on a different connector. |
Microsoft Data Protection Manager |
To enable, a new key called DPM Alertsmust be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
NuBridges Protect Key Manager |
Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine. |
NuBridges Protect Resource Service |
Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine. |
NuBridges Protect Token Manager Engine |
Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine. |
Rubrik | Backs up VMs and physical machines. |
SecureSphere | Collects events from Imperva SecureSphere Database, Web, and File security products. |
SecureSphere Database Gateway 6.0 | Collects events from Imperva SecureSphere Database Gateways using firmware version 6.0+. |
SecureSphere System and Firewall Events 6.0 | Collects events from Imperva Firewalls using firmware version 6.0+. |
SecureSphere Web Application Firewall 6.0 | Collects events from Imperva SecureSphere Web Application Firewall 6.0 using firmware version 6.0+. |
SecureSphere v10 | Collects events from Imperva SecureSphere v10. |
Veeam backup and availability | Veeam Backup provides backup and recovery of virtualized applications and data. |
Veeam endpoint backup and availability | Veeam endpoint Backup provides backup and recovery of virtualized applications and data. |
Vericept Monitor | Collects communication events from devices running Vericept Monitor software. |
Websense Data Security | Collects device/software events from Websense gateways. |
Database | <return to top> |
Collects events from Postgres Database log file | Collects events from the Postgres Database log file. |
IBM DB2 messages | Collects events from DB2. |
LOGbinder SQL | Connects the SQL Server audit log to SIEM. |
LOGbinder SQL Security | Connects the SQL Server audit log to SIEM. |
MS SQL Audit Events |
Collects Microsoft SQL Server Audit events written into Windows Application/Security Log. For more information about SQL Auditing, see SQL Server Audit (Database Engine) on Microsoft SQL doumentation. |
MSSQL Application Log | |
MySQL Database log | Monitors MySQL uptime, connections, and Error logs. |
MySQL database tools on Windows err log | MySQL provides a suite of tools for developing and managing business critical applications on Windows. This one covers the err log. You will need to choose the correct .err file |
OpenEdge Audit | |
Oracle Alert Log | Oracle Alert gives an immediate view of the critical activity in a database. |
Oracle Auditor - Buffer - Extended version | Collects Oracle Audit events via log, including the table actions SELECT, INSERT, UPDATE, and DELETE. |
Oracle Auditor - Database | |
Oracle Auditor - Database - Extended | Collects events from Oracle Database, including Select, Insert, Update, and Delete. |
Oracle Auditor - Syslog | Collects Oracle Audit events via Syslog. |
Oracle Auditor - Syslog - Extended version | Collects Oracle Audit events via Syslog, including the table actions SELECT, INSERT, UPDATE, and DELETE. |
Oracle Auditor - Windows | |
Oracle Auditor - Windows - Extended version | Collects Oracle Audit events through WindowsLog, including the table actions SELECT, BEGIN, INSERT, UPDATE, and DELETE. |
Oracle Unified Auditing system. | Oracle Unified Auditing system starts with version 12c and must be set manually. |
SolarWinds Log and Event Manager MSSQL Auditor |
MSSQL Auditor supports only SQL Server versions up to 2016. SolarWinds recommends using the 'MS SQL Audit Events' connector since it supports the newest MS SQL Server versions. |
<return to top> | |
IBM Domino (AIX) | IBM Domino (Lotus) for AIX. |
LOGbinder for Exchange | |
Lotus Notes Webmail | |
Lotus Notes and Domino Server 8 | |
Microsoft Exchange Application Log | |
Microsoft Exchange Event Log | |
Microsoft Exchange Management Log | Microsoft Exchange Management Log |
Microsoft Exchange Message Tracking | Tracks all mail and message activity on the Microsoft Exchange server. |
File Transfer and Sharing | <return to top> |
Accellion Secure File Transfer using https and SFTP | Accellion is an content collaboration platform that enables to seamlessly access content, and centralized access to multiple on-premises and cloud-based content systems. |
Axway Secure Client | Collects events from the Axway Secure Client. |
Cerberus FTP Server | |
CrushFTP | CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users. |
DFS Replication | Gathers Distributed File System Replication events from the DFS Replication Windows Event Log. |
EFT Server Enterprise Windows Application Log | |
FileZilla | |
GENE6 Secure FTP Server Security | Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over the Internet. |
GENE6 Secure FTP Server Transfer | Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over the Internet. |
Globalscape EFT client | |
Globalscape Secure FTP (W3C Extended file format) | |
GoAnywhere Services | A secure FTP server (and optional web server) that allows trading partners and employees to connect to your system and exchange files in a secure environment. |
HP StorageWorks Modular Smart Array SNMP | HP StorageWorks Modular Smart Array SNMP. |
LOGbinder for Sharepoint: LOGbinder SP log | |
LOGbinder for Sharepoint: LOGbndSP log | |
LOGbinder for Sharepoint: Security Log | |
MOVEit Log | |
MOVEit Windows Application Log | |
Microsoft IIS FTP Server 5+ (W3C Extended file format) | |
Microsoft IIS FTP Server 7.0 (W3C Extended file format) | |
Microsoft Offline Files Operational |
Microsoft Offline Files logs issues with Sync centre/offline file sync. To enable, a new key called Microsoft-Windows-OfflineFiles%4Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
OpenBSD FTPd | Collects FTP-related events from devices running OpenBSD FTPd. |
Panzura Distributed File Services | The Panzura Global File System transforms cloud storage, public or private, into a high-performance, globally distributed file system. |
ProFTPD Access | |
ProFTPD Auth | |
Pure Storage Purity | Pure Storage Purity software-defined storage and flash management purpose-built to power Pure’s shared accelerated storage. |
Pure-FTPd | |
QNAP NAS/File Server | |
Samba | Collects file and print sharing related events from devices running Samba. |
Serv-U FTP Server | |
Serv-U FTP Server (Never Rotate) | |
SmartFile Secure File Sharing and Transfer Solutions | SmartFile Secure File Sharing and Transfer Solutions. |
Solarwinds SFTP/SCP Server | Solarwinds SFTP/SCP Server is a free SFTP server for reliable and secure network file transfers. |
Varonis DatAdvantage File Monitoring | Varonis DatAdvantage monitors Network File Shares Directory services for suspicious behavior. You can monitor file activity and user behavior, prevent data breaches, and make permissions management and auditing. |
WS_FTP Server Corporate | Collects FTP traffic analysis events, by user, source, destination, configuration, and authentication, from devices running WS_FTP. |
secRMM | Security Removable Media Manager. |
vsftpd xferlog | |
Firewalls | <return to top> |
A10 Load Balancer and Web Application Firewall | Gathers events from A10 Load Balancer and A10 Web Application Firewall devices. |
AhnLab TrusGuard | Collects events from an AhnLab TrusGuard device. |
AppWall | AppWall - Web Application Firewall (WAF). |
Applicure dotDefender | Applicure dotDefender web application firewall. |
Barracuda NG Firewall (Phion Netfence) | |
Barracuda NG Firewall (Phion Netfence) Extended | |
Barracuda Web Application Firewall |
Collects events from Barracuda Web Application Firewall devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWeb connectors. System, Web Firewall, Access, Audit and Network Firewall logs have a new connector (BarracudaADC),. Please try if it does work for your case,. If not, use this connector. |
BLUEMAX NGF Firewall | Collects events from a BLUEMAX NGF Firewall device. |
Borderware Firewall | Collects events from Borderware (now Watchguard XCS) appliances. |
Check Point Firewalls 5000 series | Gathers logs from Check Point Firewalls 5000 series. |
CheckPoint 600 Appliances (optional) daemon.log |
Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log. |
CheckPoint 600 Appliances (optional) user.log |
Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log. |
CheckPoint 600 Appliances (required) auth.log |
Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log. |
CheckPoint2200 | CheckPoint2200 - A security gateway providing an all-in-one security solution. |
CheckPoint2200Kern | CheckPoint2200 kern log - A security gateway providing an all-in-one security solution. |
CheckPointR80 | Gathers logs from Check Point R80.20. |
Checkpoint Edge X Firewall | Collects events from CheckPoint appliances that are running EdgeX firmware. |
Checkpoint Safe@Office Firewall | Collects events from CheckPoint appliances that are running the safe@office firmware. |
Cisco ASA and IOS | Collects events from Cisco ASA, PIX, FWSM, and ACE firewalls, as well as IOS based routers/switches. |
Cisco Firesight | Cisco FireSIGHT Management Center: Centralized Policy, Event, and Device Management. |
Cisco SA500 Series Security Appliances | Collects events from the 540 series of Cisco SA500 Security Appliances. |
Clavister firewall | Clavister E80 and W20 Devices are next generation firewall. |
Cyberguard | |
D-Link DFL firewall | Collects events from D-Link DFL Firewalls. |
EndianUTM | Endian Unified Threat Management (UTM) is a set of security features integrated into an all-in-one solution. |
Firewall Blockbit | Collects logs from Blockbit Firewall. |
FortiClient | Provides automated endpoint threat prevention. |
FortiGate 5.0+ | Collects events from Fortigate UTM appliances that use firmware version 5.0 and later. |
GNAT Box System Software v.3.3 | Collects events from the GNAT Box UTM software firewalls OR hardware running GNAT Box v3.3 or higher. |
HP Firewall | Collects events from the HP Firewall Appliance. |
Hirschmann EAGLE System Industrial Firewall | Collects events specific to Hirschmann EAGLE System Industrial Firewall/VPN-router appliances. |
IBM DataPower | An XML Gateway appliance that supports security/Web services and Enterprise Service Bus aspects. |
IP Filter | Collects events from devices running IPFilter firewall software. |
IPFire OpenSource Firewall Distribution | A hardened Linux appliance distribution designed for use as a firewall. |
Incapsula Web Application Firewall via syslog | Incapsula Web Application Firewall through syslog. |
Ingate Firewall | Collects events for the Ingate Firewall 1190. |
Juniper Virtual Gateway | Collects events from Juniper virtual gateway devices. |
Juniper/NetScreen 5 | Collects events from Juniper firewalls running ScreenOS version 5.0 or later. |
Kerio Control Firewall | Network firewall, router and leading-edge IPS. |
McAfee Firewall v5.8 CEF | Collects events from McAfee Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.8 or later. |
McAfee ForcePoint Firewall | Collects events from Forcepoint Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware. |
Microsoft Forefront Threat Management Gateway 2010 Firewall (W3C Server file format) | Collects Microsoft Forefront Threat Management Gateway log messages from files in the W3C format. |
Microsoft ISA 2000 Firewall (ISA Server file format) | |
Microsoft ISA 2004 Web Proxy (ISA Server file format) | |
Microsoft ISA 2004 Web Proxy (W3C Server file format) | |
Microsoft ISA 2004/2006 Firewall (ISA Server file format) | |
Microsoft ISA 2004/2006 Firewall (W3C Server file format) | |
Microsoft ISA 2006 Web Proxy (ISA Server file format) | |
Microsoft ISA 2006 Web Proxy (W3C Server file format) | |
Microsoft ISA Firewall (W3C Extended file format) | |
Microsoft ISA Packet Filter (ISA Server file format) | |
Microsoft ISA Packet Filter (W3C Extended file format) | |
Microsoft ISA Server Application Log | |
Microsoft ISA Web Proxy (ISA Server file format) | |
Microsoft ISA Web Proxy (W3C Extended file format) | |
Microsoft Windows Firewall Advanced Security Events |
Microsoft Windows Firewall with Advanced Security/Firewall events. To enable, a new key called Microsoft-Windows-Windows Firewall With Advanced Security/Firewall must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Netgear FV Series | Collects events from Netgear FV series firewall appliances. |
Netscreen(Juniper SRX firewall) | Collects events from Juniper Netscreen firewall appliances running firmware version 4.x. |
Network Box RM300 and ITPE1000 | Collects events from Network Box firewall devices. |
OPSEC(TM) / Check Point(TM) NG LEA Client | |
OPSWAT Metadefender | OPSWAT Metadefender - Data sanitization (CDR), vulnerability assessment, multiple anti-malware engines, and customized security policies. |
OSSEC Active Response log | Add and Delete events from OSSEC active response log. |
Palo Alto Networks Firewalls |
Collects events from Palo Alto firewalls running PanOS. To enable this connector, set Log Format as BSD. Also, set all fields in Custom Log Format to Default. See this KB article to set up logging. |
SECUI MF2 | Collects events from a SECUI MF2 Firewall device. |
Sidewinder 6.1+ Firewall | Collects events form the McAfee Sidewinder Firewall (Versions 6.1+). |
Sidewinder Firewall | Collects events form the McAfee Sidewinder Firewall (Versions pre 6.1). |
SonicWall | Collects events from Dell SonicWall Firewall devices. |
SonicWall GMS | |
Sophos (Astaro) Security Gateway | Collects events from the following Sophos (Astaro) Security Gateways: 110, 120, 220, 320, 425, 525, 625. |
SophosXG Firewall | SophosXG Firewall |
StoneGate Firewall v5.3 CEF | Collects events from StoneGate Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.3 or later. |
Storm Shield Netasq Firewall | Storm Shield Netasq Firewall |
Symantec Velociraptor 1.5 | Collects events from the Symantec Velociraptor Firewall version 1.5. |
Symantec Velociraptor 2.0 | Collects events from the Symantec Velociraptor Firewall version 2.0. |
Symantec Velociraptor 3.0 | Collects events from the Symantec Velociraptor Firewall version 3.0+. |
Tippingpoint X505 | Collects Firewall, VPN, and Web events from the Tippingpoint X-series. |
Titanium Mirror Firewall | Collects events for Titanium Mirror firewalls (TM0100, TM0300, TM0310, and TM1100). |
Tofino Firewall LSM for Industrial Networks | Collects events specific to Industrial Network and takes control of network traffic. |
Trend Deep Security | Collects events from devices running Trend Deep Security software. |
Trend Deep Security LEEF logs format | Collects events from devices running Trend Deep Security software. |
Untangle NG Firewall | Untangle NG Firewall provides network management software. |
VMWare vShield Edge Firewall | Gathers events from VMWare's vShield Edge Firewall. |
VisNetic Firewall | |
WatchGuard firewalls | Collects events from Watchguard firewalls. |
Windows Firewall | |
ZyXEL ZyWALL CEF Format | Gathers events from ZyXEL ZyWALL CEF Format. |
eSoft | Collects events from the following InstaGate devices: Firewall models 404, 404e, 604, 806, and ThreatWall models 250, 450, and 650. |
iptables / netfilter | Collects events from devices running iptables or netfilter. |
pfSense Firewall/Router | pfSense is an open source firewall/router computer software distribution based on FreeBSD. |
IAM | <return to top> |
BioPassword | |
Cisco (NAC) Network Access Control Appliance with Clean Access Manager (CAM) or Server (CAS) Software | Collects events from Cisco NAC (clean access) appliances. |
Cisco ACS Admin Audit | |
Cisco ACS Admin Audit 4.1+ | |
Cisco ACS Backup and Restore | |
Cisco ACS Database Replication | |
Cisco ACS Database Sync | |
Cisco ACS Express | |
Cisco ACS Failed Attempts | |
Cisco ACS Passed Authentications | |
Cisco ACS RADIUS Accounting | |
Cisco ACS Service Monitoring | |
Cisco ACS TACACS+ Accounting | |
Cisco ACS TACACS+ Administration | |
Cisco ACS User Password Changes | |
Cisco ACS VoIP | |
Cisco Customer Voice Portal Application Activity Date Rotating Log | Activity taken by callers when they visit an application. |
Cisco Customer Voice Portal Application Activity Log | Activity taken by callers when they visit an application. |
Cisco Customer Voice Portal Application Admin Date Rotating Log | Shows admin events for the app. |
Cisco Customer Voice Portal Application Admin Log | Shows admin events for the app. |
Cisco Customer Voice Portal Application Error Date Rotating Log | Shows system-error events for the app. Some events result in the failure of the call. |
Cisco Customer Voice Portal Application Error Log | Shows system-error events for the app. Some events result in the failure of the call. |
Cisco Customer Voice Portal Global Admin Date Rotating Log | Logs admin events that affect the server as a whole. |
Cisco Customer Voice Portal Global Admin Log | Logs admin events that affect the server as a whole. |
Cisco Customer Voice Portal Global Error Date Rotating Log | Logs errors that are outside the scope of one app. |
Cisco Customer Voice Portal Global Error Log | Logs errors that are outside the scope of one app. |
Cisco Customer Voice Portal Global call Date Rotating Log | Logs one row for each session (visit to one app by one call). |
Cisco Customer Voice Portal Global call Log | Logs one row for each session (visit to one app by one call). |
Cisco Customer Voice Portal Server Startup Error Date Rotating Log | Shows Global log. |
Cisco Customer Voice Portal Server Startup Error Log | Shows Global log. |
Cisco Identity Services Engine (ISE) | Automates and enforces context-aware security access to network resources. |
Cisco Secure ACS 4.1 Syslog | Collects events from Cisco ACS (versions 4.1 up to 5). |
Cisco Secure ACS 5+ Syslog | Collects events from Cisco ACS (versions 5 and up). |
ClearBox Enterprise RADIUS server | Collects authentication packet events from ClearBox Enterprise RADIUS Server 5.7. |
Cyber-Ark Vault | Collects events from the Cyber-Ark Vault Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite. |
Dell Defender | Manages 2 factor and multi-factor authentication for identity storage and management. |
DigitalPersona Pro | |
Entrust Identity Guard (IDG) | Entrust Identity Guard (IDG) Identity-based security software. |
Extreme Sentriant | Collects identity and access management events from Sentriant appliances. |
FreeRADIUS | |
FutureX Excrypt | Gathers events from the FutureX Excrypt SSP9000 hardware security module. |
IAS RADIUS Non-Rotating File | |
IAS RADIUS Rotating File | |
IBM Tivoli Access Manager for Operating Systems | Gathers events from IBM Tivoli Access Manager for Operating Systems. |
Imprivata Appliance | Manages single-sign-on behavior, multi-factor authentication, and related authentication behavior for applications. |
Juniper SBR authentication accepts report log | |
Juniper SBR authentication accepts report log | |
Juniper SBR authentication rejects report log | |
Juniper SBR authentication rejects report log | |
KEMP Kern Log | KEMP load balancer kernel log. |
ManageEngine Password Manager Pro SNMP | |
Microsoft Azure AD Password Protection DC Agent Admin |
To enable, a new key called Microsoft-AzureADPasswordProtection-DCAgent/Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. Microsoft Azure AD Password Protection DC Agent Admin allows custom banned password lists and prevents users from setting passwords to known compromised passwords or passwords defined in the custom banned list. |
Microsoft RRAS | |
Microsoft RRAS Extended NPS Log Format | |
Microsoft Windows Group Policy Operational |
To enable, a new key called Microsoft-Windows-GroupPolicy/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. Microsoft Windows Group Policy Operational provides centralized management and configuration of operating systems, applications and users settings in an Active Directory environment. |
Microsoft Windows Terminal Services Gateway |
To enable, a new key called Microsoft-Windows-TerminalServices-Gateway/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Terminal Services Gateway Admin |
To enable, a new key called Microsoft-Windows-TerminalServices-Gateway/Admin must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Terminal Services Remote Connection Manager |
To enable, a new key called Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Net Access | |
NetIQ Directory and Resource Administrator | |
Novell Identity Audit DB | |
OneSpan | Collects events from OneSpan Authentication Server |
Pleasant Password Server | Pleasant Password Server is a multi-user password management tool. |
PointSec PC | |
RSA Authentication Manager 7.1 | Collects authentication events from the RSA Authentication Manager 7.1 or higher. |
SafeNet Authentication Service (SAS) Windows Events |
Collects SafeNet Authentication Service (SAS) Windows Events. SafeNet Authentication Service is an on-premises authentication solution. |
SafeNet SafeWord | |
Safenet Authentication service | SafeNet's Authentication Service is a multifactor authentication (MFA) software product that adds supplementary security measures to standard user name/password logins for a variety of servers and services. |
SanDisk CMC | |
SecurID | |
SecurID Syslog | Collects syslog events from RSA RSA ACE servers. |
SecureAuth idP | Provides infrastructure for multi-factor authentication and single sign on. |
Shibboleth Identity Provider | Shibboleth SAML/CAS Identity management system, audit logging. |
SolarWinds Access Rights Manager | Gathers messages from SolarWinds Access Rights Manager. |
Thycotic Secret Server | |
TriCipher | Collects events from devices running the TriCipher software. |
Two-Factor Authentication For Active Directory |
To enable, a new key called AuthLite Security must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Vormetric | Collects file access related events, administrative activity, service activity (problems with agents, etc) from devices running Vormetric software or appliances. |
Windows IAS and NPS System Log | Collects messages from Windows Internet Authentication Service (IAS) and Windows Network Policy Server (NPS) through the Windows System log. |
Windows server netlogon debug log | Netlogon is a Windows Server process that authenticates users and other services within a domain. |
eDMZ Password Auto Repository | Collects events from eDMZ appliances (also called Quest Privileged Password Manager). |
entrust | Provides identity-based security solutions for secure governments, enterprises. and financial institutions. |
IDS and IPS | <return to top> |
ActiveScout | Gathers events from ForeScout's ActiveScout (CounterAct Edge) Intrusion Prevention System (IPS) device. |
Cisco FirePOWER Module (Sourcefire 3D system) | Cisco FirePOWER Module (Sourcefire 3D Network Defence System). |
Cisco IDS/IPS v4/5.x | |
Cisco IPS 5+ (SDEE) | |
Core Network Insight | Core Network Insight (formerly Damballa Failsafe) is an advanced threat detection system. |
Darktrace - threat detection and classification | Darktrace is threat detection and classification solution. |
Dragon IDS | Collects events from Enterasys Dragon IDS/IPS appliances. |
FortiSnort | |
GFI LANguard System Integrity Monitor 3 | |
IBM IPS XGS | Collects events from IBM Security Network Protection XGS solutions. |
IBM XGS | IBM XGS Intrusion Prevention System. |
ISS Proventia IPS | |
ISS RealSecure IDS | |
Juniper IDP 250 v5.0 | Collects events from Juniper IDP 250 appliances running firmware version 5.0+. |
Juniper IDP 3.x | Collects events from Juniper IDP appliances running firmware version 3.x. |
Juniper IDP 4.0+ | Collects events from Juniper IDP appliances running firmware version 4.0+. |
McAfee Network Security Manager | Collects events from McAfee IPS devices. |
Microsoft ATA (Advanced Threat Analytics) | Microsoft ATA (Advanced Threat Analytics) - Microsoft Cloud based SIEM. |
NitroGuard IPS - Snort Format | Collects Snort-format events from Nitroguard IPS appliances. |
NitroSecurity IPS | Collects Nitro-format events from Nitroguard IPS appliances. |
Osiris Host Integrity Monitoring System | |
Radware DefensePro | A real-time, behavioral based attack mitigation device. |
Reflex IMC | Collects Intrusion events from the Reflex Security IPS. |
Secure Auth (Syslog) | Secure Auth collects audit events from SecureAuth IdP Appliance in syslog format. |
SecureAuth Error logs | Collects error and warning events from SecureAuth IDP appliances. |
SecureAuth Logging Audit logs | Collects audit events from SecureAuth IDP appliances. |
SecureAuth Logging Audit logs_Rotating | Collects audit events from SecureAuth IDP appliances. |
SecureNet IDS | |
Sentinel IPS | Collects events from Sentinel Intrusion Protection System. |
Snort | |
Sophos Central Cloud | Sophos Central Cloud Endpoint Protection. |
Symantec Gateway IDS | Collects events from the Symantec Gateway IDS. |
SyslogSnort | |
TippingPoint Audit and System | Collects audit and system events from Tippingpoint devices. |
Tippingpoint IPS 1.4 | Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+. |
Tippingpoint IPS 2.1 | Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+. |
Tippingpoint SMS | Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+. |
TopLayer Attack Mitigator | Collects DOS/DDOS events from TopLayer IPS 5500 EC-Series and TopLayer IPS 5500 ES-Series appliances. |
Trend Micro Deep Discovery Inspector | Detects targeted attacks and targeted ransomware. |
Trend Micro HIDS - ossec syslog | Trend Micro HIDS - Integrate OSSEC alerts of suspicious activities via syslog |
Trend Micro Interscan Gateway Security Appliance | Collects events from Trend Micros Interscan Gateway Security appliances. |
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) - Email Gateway | Collects logs from email messages, network traffic, and system events. |
Tripwire Enterprise | Collects host and file integrity monitoring events from devices running Tripwire software. |
Manager | <return to top> |
Debian DPKG | Debian DPKG package manager log. |
Manager Monitor | |
Micro Focus Content Manager (DB Rotating) |
Normalizes rotating DB log data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager). Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents. |
Micro Focus Content Manager (TALF) |
Normalizes TALF data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager). Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents. |
MicrosoftWindowsRemoteManagement-Operational |
Windows Remote Management (WinRM) is protocol that allows hardware and OS from different vendors to interoperate. To enable, a new key called Microsoft-Windows-WinRM%4Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
SWLEM Reports | Collects reports events from Solarwinds Log and Event Manager. |
nDepth Log Storage Message | |
Network Access Control | <return to top> |
Aruba ClearPass Policy Manager | The ClearPass Policy Manager simplifies network access security by optimizing policies and AAA for mobile enterprises. |
Cisco Prime Security Manager | Centralized tool to manage Cisco ASA 5500-X Series Next-Generation Firewalls. |
Network Management | <return to top> |
Airwatch | Airwatch Mobile Device Management. |
Arbor Pravail APS 2104 | Used for DDOS attack detection and mitigation. |
Aruba Airwave Management Platform |
Detects and remediates rogues, attacks, and identifies their location. Aruba Airwave Management Platform manages and monitors wireless environments, controllers. |
Axcient Unified Management Console (UMC) | |
Barracuda Load Balancer ADC | Collects Load Balancer ADC events. Also collects System, Web Firewall, Access, Audit and Network Firewall Logs. |
Barracuda Web Security Gateway | A spyware, malware, and virus protection for web security. |
Blue Coat PacketShaper | Helps enterprises control bandwidth cost, deliver a superior user experience, and align network resources with business priorities. |
Carbon Black Enterprise Response | Carbon Black Enterprise Response - Real-time EDR and incident response. |
Cimcor CimTrak | Cimcor CimTrak WTLogs. |
Cisco Wireless Acccess Point | Collects events for Cisco Wireless Access Point. |
Cisco Wireless Control System | Collects events for Cisco Wireless Control System. |
Cisco Wireless LAN Controller snmp trap logs | Wireless Access Point for Businesses. |
Citrix XenMobile, Mobile management MDM, system and audit sys log. | Citrix XenMobile, Mobile management MDM, system and audit sys log. |
DNA OASyS |
This connector covers logs from multiple files: archive.log, cleanup.log, cmxrepsvr.log, collectLog.log, DPdirect_*.log, oasErrLog.log. DNA OASyS 7.5 by Schneider. This is a SCADA Control System. |
DNA OASyS xosErrLog |
This connector covers xosErrLog.log logs. DNA OASyS 7.5 by Schneider. This is a SCADA Control System. |
Dameware Remote Administration | |
ExtraHop Reveal(x) | Configures the ExtraHop system to send stored audit log data to a remote syslog server. |
Fujitsu iRMC | Fujitsu integrated Remote Management Controller. |
Gemalto High Availability (HA) Log Messages | Gemalto Network HSM HA-related events including HA errors, add-member and delete-member events. |
HPE Intelligent Management Center (IMC) | HPE Intelligent Management Center (IMC), Network Management. |
Juniper NSM | Collects events aggregated from Juniper devices. |
Lancope StealthWatch | Collects network events from StealthWatch appliances. |
Lantronix SLC 8000 | Collects events from Lantronix SLC devices. |
MS Forefront Endpoint Protection | MS Forefront SCCM discovers servers, desktops, tablets etc connected to a network through Active Directory to ensure security of data stored on those devices. |
Microsoft Exchange High Availability Logs |
To enable, a new key called Microsoft-Exchange-HighAvailability/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
MicrosoftNetworkProfileOperational |
Network profiles define the attributes for the connection operation to a basic service network To enable, a new key called Microsoft-Windows-NetworkProfile/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
NGINX Plus web delivery platform error logs | NGINX adds enterprise-ready features for HTTP, TCP, and UDP load balancing, such as session persistence, health checks, advanced monitoring, and management. This gives you the freedom to innovate without being constrained by infrastructure |
Nagios | |
Radius server bundled with Windows Server 2008 and later | Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization. |
SecureLink Device | Gateway Vendor 2FA authentication Remote Access appliance. |
SolarWinds Orion and Virtualization Manager | |
SolarWinds Platform events auditing | Collects auditing events from the SolarWinds Platform. |
Survalent ADMS Software automation solution | Survalent ADMS is a software automation solution that provides real-time supervisory control and data acquisition for utilities. |
TACACS | Provides centralized authentication, authorization and accounting (AAA) services for network devices. |
Titus Enterprise Information Protection | Protects enterprise information. |
Ubiquiti Wireless Acccess Point | Collects events for the Ubiquiti Wireless Access Point. |
ePolicy Orchestrator (ePO) | |
ePolicy Orchestrator (ePO) 4.5+ | |
vCenter Server is the centralized management utility for VMware. | vCenter Server is the centralized management utility for VMware. |
Network Services | <return to top> |
Array APV 1600 | Array APV 1600: Application delivery controller - SSL/TLS accelerator. |
AudioCodes Mediant SBC | Collects logs from AudioCodes Mediant Session Border Controllers (SBC). |
Avaya SBC | Gathers logs from Avaya SBC. |
Barracuda Admin | Collects admin events, such as changes and updates, from all Barracuda devices. Recommend using this connector along with the BarracudaWebAppFW and BarracudaWeb connectors. |
Barracuda Mail Archiver | Cloud-Connected Message Archiving for Efficiency and eDiscovery. |
Barracuda Spam Firewall | Barracuda Spam and Virus Firewall manages all inbound and outbound email traffic. |
Bind | Collects application-specific events generated in the application log. Used for firewalls and routers were Bind is deployed. Covers logs from Infoblox together with connector linuxdhcpd.xml. |
CA's BrightStor v11.5 | |
Calix Telecommunications | Calix is a supplier of telecommunications access equipment for service providers. |
Cisco Network Registrar for Windows | |
Cisco Unified Communications Manager (CallManager) | Provides services such as session management, voice, video, messaging, mobility, and web conferencing. |
Dell PowerProtect DD | Collects events from the Dell EMC PowerProtect DD. |
DHCPd | Collects DHCP daemon lease grant, renewal, and location events from dhcp enabled devices. Covers logs from Infoblox together with connector bind.xml. |
DNS Bind | Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed. |
Distil Networks | Distil Networks provides bot detection and mitigation. |
Eaton Cooper Power Systems | Power system operators with a complete suite of software applications to remotely manage all installed intelligent IEDs |
Gemalto Luna | Gemalto Luna. |
HuaweiNCE | Collects events from Huawei Network Connection Endpoint (NCE) devices. |
IIS Configuration |
To enable, a new key called Microsoft-Windows-IIS-Configuration-Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
IceWarp Mail Server (Merak) | IceWarp Mail Server (Merak) is a mail server. |
Infoblox NIOS | This connector is a combination of connector bind.xml and linuxdhcpd.xml. There is nothing specific to Infoblox. |
KEMP User Log | KEMP load balancer user authentication log. |
Kemp LoadMaster | Kemp LoadMaster (CEF format). |
Kerio Connect | Collects events from Kerio Connect mail server. |
Linux Sendmail | Collects mail-related events from devices running Sendmail software. |
LinuxLDAP Access | Gathers access messages from the LinuxLDAP server. |
LinuxLDAP Error | Gathers error messages from the LinuxLDAP server. |
Load Balancer | Collects Load Balancer administration logs and Apache logs. |
Locum RealTime Monitor | Collects events from Locum RealTime Monitor. |
Microsoft Cloud App Security |
Collects events from Microsoft Cloud App Security (CASB) SIEM agent through syslog. See this KB article for more information. |
Microsoft Exchange Server in W3C format without Fields value | Microsoft Exchange Server in W3C format without Fields value. |
Microsoft Windows WAS, Microsoft Sharepoint Services, vmStatsProvider, Manager Reporter 2012 services Logs | |
NetIQ eDirectory | Collects Authentication/Creation/Deletion events from the Novell NetIQ eDirectory services. |
Netskope CASB |
Netskope Security Cloud CASB (Cloud Access Security Broker) is a cloud-based software solution that is installed between cloud service users and cloud applications. The software monitors all activity and enforces security policies. This connector covers syslog logs in CEF format. |
Nimble SAN | Collects events from Nimble SAN. |
Nozomi Guardian | Collects events from the Nozomi Guardian. |
Nutanix | Covers logs from all Nutanix products. |
OpenLDAP | Collects LDAP-related events from devices running OpenLDAP. |
Oracle Communications Subscriber-Aware Load Balancer and Session Border Controller (SBC) parts of Oracle ACME |
Oracle Communications Subscriber-Aware Load Balancer (SLB) enables scaling of capacity from SIP or IP address. Oracle Communications Session Border Controller for fixed line, mobile and over-the-top services |
Oracle SD-WAN | Gathers logs from Oracle SD-WAN. |
Postfix | Collects events from Postfix Mail Server. |
Quest VMWare vRanger | Detects errors and information from Quest Software's vRanger Pro and Standard Edition. |
Redline | Covers logs from Redline devices including RDL-3000. |
Riverbed/Brocade Stingray | It's a traffic manager/load balancer. It logs to syslog traffic rule violation, system amendments and so on. |
SafeNet DataSecure Certificate Server | Collects events from the SafeNet DataSecure i450 appliance. |
Semafone | |
SolarWinds Web Help Desk | IT Services and Asset management software. |
Symantec Backup Exec System Recovery | |
Symmetricom SyncServer | Collects events from Symmetricon SyncServer series (including S100, S200, S250, S300, S350, and S350 SAASM) devices. |
Synology cloud software | Synology creates network-attached storage (NAS), IP surveillance solutions, and network equipment. |
TACACS+ server based on Cisco engineering release |
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. |
VMware NSX | Collects events from VMware NSX. |
WatchGuard Extensible Content Security (XCS) auth log |
Collects authorization events from WatchGuard devices. Requires the configuration of OpenSSH and PAM to watch the same logfile and capture everything. |
WatchGuard Extensible Content Security (XCS) syslog | Collects syslog events from WatchGuard devices. |
Windows DHCP Server 2000 | |
Windows DHCP Server 2000/2003/2008 System Log | |
Windows DHCP Server 2003 and 2008 | |
Windows DNS-Server-Analytical |
Analytical log from Windows DNS Servers. To enable, a new key called Microsoft-Windows-DNSServer-Analytical must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Windows Server 2008 Log | |
named bind | Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed. |
smnpd daemon messages | Collects events from various applications running the snmp daemon. |
Operating Systems | <return to top> |
AIX Audit | |
AIX Syslog | Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running the IBM AIX operating system. |
Debian 8.8 kern logs | Debian 8.8 kern logs |
Debian v8.8 | Debian v8.8 logs |
FireEye Operating System | Collects events from FireEye Operating System. |
FreeBSD Authentication |
Collects authentication events from devices running FreeBSD. This also requires the configuration of OpenSSH and PAM to watch the same logfile to capture everything |
HP OpenVMS 8+ | Collects OS events for devices running OpenVMS 8 or later. |
HP-ux Syslog | Collects OS access, configuration, user monitoring, and VM monitoring events from devices running HP-UX. |
Legacy TriGeo Agent AS400 Tool | Collects auditing events from IBM AS400 appliances running Trigeo AS400 software. |
Linux Auditd | Linux Auditd (non-syslog). |
Linux PAM | Collects authentication events from devices running PAM software. |
Linux PAM command | Collects authentication events from devices running PAM software. |
Linux command line logging | |
Linux syslog events | Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running RedHat and other Linux distributions. |
LogAgent for OS400 (Patrick Townsend Security Solutions) | Collects OS auditing information from IBM OS400 appliances (now called System I). |
Mac OS X (crashreporter) | |
Mac OS X (install) | Collects software installation events from devices running Mac OSX. |
Mac OS X (mail) | Collects mail traffic events from devices running Mac OSX. |
Mac OS X (ppp) | |
Mac OS X (secure) | Collects authentication, account, and group information events from devices running Mac OSX. |
Mac OS X (system) | Collects system-level events from devices running Mac OSX. |
Microsoft Cluster Services events |
To enable, a new key called Microsoft-Windows-FailoverClustering/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Sysmon |
Microsoft Sysmon product is used to log and monitor processes. To enable, a new key called Microsoft-Windows-Sysmon/Operational must be added to the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog See this KB article for an example used for a different connector. |
Microsoft Windows NTLM |
To enable, a new key called Microsoft-Windows-NTLM/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Task Scheduler |
Microsoft Windows Task Scheduler for Vista/7/2008 and beyond. To enable, a new key called Microsoft-Windows-TaskScheduler/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Microsoft Windows Terminal Services Local Session Manager |
The Microsoft-Windows-TerminalServices-LocalSessionManager component is responsible for starting the computer and implementing Windows Fast User Switching (FUS). To enable, a new key called Microsoft-Windows-TerminalServices-LocalSessionManager/Operational must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
MobileIron Assemble | Mobile Data Security and Device Management for Enterprises. |
MobileIron VSP | Mobile Data Security and Device Management for Enterprises. |
Novell Netware 4.1 - 5.3 | |
Novell Netware 6.5 | |
Novell Netware 6.5 (Database) | |
Novell Netware 6.5 File | |
Open SSH | Collects authentication events from devices running Open SSH. |
Oracle Linux secure logs | Oracle Linux secure logs. |
PowerTech Interact | Collects OS auditing information from IBM OS400 appliances (now called System I). |
SELinux | Collects events from devices running SELinux. |
SMB Server Audit | Collects audit events from Windows SMB Server. |
Solaris 10 BSM Auditing | Collects events from Solaris 10 servers running the Basic Security Module. |
Solaris 10 Snare Auditing | |
Solaris 11 | Collects events from Solaris 11 operating system. |
Solaris 8 and 9 Snare Auditing | |
VMware ESX esxcfg-firewall log | |
VMware ESX hostd log | |
VMware ESX messages log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware ESX secure log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware ESX vmkernel log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware ESX vmkwarning log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware ESXi Hostd log | Collects events from VMWare ESXi, to be run in conjunction with ESXi Messages, ESXi Hostd, and ESXi vmkernel connectors. |
VMware ESXi messages log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware ESXi vmkernel log | Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors. |
VMware Unified Access Gateway | Collects syslog events from VMware UAG-ESManager, Audit and Admin events. |
Windows Application - Syslog | Windows Application logs through Syslog. |
Windows Application Log | |
Windows DNS Server Audit Log |
To enable, a new key called Microsoft-Windows-DNSServer/Audit must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
Windows DNS Server Log | |
Windows DNS Traffic Log | |
Windows Directory Service Log | |
Windows File Integrity Monitoring (FIM) File and Directory |
Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for files and directories on Windows servers and workstations. Configure files and directories or dynamic patterns of files and directories to monitor and types of changes to monitor for each configured file/directory. To learn how to configure FIM on Linux, access the following link:https://thwack.solarwinds.com/docs/DOC-190279 |
Windows File Integrity Monitoring (FIM) Registry |
Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for registry keys and folders on Windows servers and workstations. Configure registry keys and folders or dynamic patterns of registry keys and folders to monitor and types of changes to monitor for each configured key/folder. To learn how to configure FIM on Linux, access the following link:https://thwack.solarwinds.com/docs/DOC-190279 |
Windows File Replication Service | |
Windows Filtering Platform Events | |
Windows NT/2000/XP Security Log | |
Windows Security - Syslog | Windows Security logs through Syslog. |
Windows Security Log | Windows Security logs (Windows 2008 and newer). |
Windows System - Syslog | Windows System logs through Syslog. |
Windows System Log | |
iSecurity CEF | Collects audit logs from iSecurity developed by RazLee. |
iSecurity for OS400 (Raz-Lee) | |
linuxauditd (syslog) | Normalizes Linux audit logs from syslog format into SEM. |
sudo | Collects events from various applications running the sudo. |
sudo syslog | Collects events from various applications running the sudo. |
Physical Infrastructure | <return to top> |
APC InfraStruXure | Gathers power monitoring events from InfraStuXure racks and UPS Network Management Cards. Also covers syslog events from Netbotz devices. |
APC Netbotz | Gathers non-syslog events from APC Netbotz devices. |
Dell DRAC | Dell Access Card for Remote Administration. |
Dell Server Administrator | Gathers Storage Management and System Events for Dell Server Administrator from the Windows Application Event Log. |
EMCUnity | Dell EMC Unity Storage array. |
Fujitsu Blade Servers | Fujitsu Blade Servers. |
Fujitsu Storage ETERNUS | Fujitsu Storage ETERNUS consolidates data for server virtualization, e-mail, databases and business applications, as well as centralized file services. |
Grandstream Gateway | Grandstream Analog VoIP Gateway integrates traditional phone systems into a VoIP network and manage communication. |
HP BladeSystem Enclosure auth log | Collects authorization events from HP BladeSystem enclosures. |
HP BladeSystem Enclosure local log | Collects authorization events from HP BladeSystem enclosures. |
HP Printer | Collects events from HP Color LaserJet Enterprise M750 Printer series. |
HP Proliant iLO 4 | HP Proliant iLO 4 and later - Light-out blade management. |
HPE 3PAR StoreServ | Hawlett Packard Enterprise 3PAR StoreServ. |
Hitachi AMS | Collects events from Hitachi Adaptable Modular Storage devices. |
JACO CartCare | |
Tripp Lite SNMPWEBCARD | Collects events from Tripp Lite SNMPWEBCARD. |
TrippLitePDU | TrippLitePDU is network power distribution unit distributing power supplied to the rack. |
Proxies/Content Filters | <return to top> |
Actiance Unified Security Gateway | Collects events from Unified Security Gateway appliances. |
Barracuda Web Filter | Collects Web traffic analysis events, by user, source, destination, configuration, and authentication, from Barracuda devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWebAppFV connectors. |
Blue Coat Proxy SG web access | Collects Web Proxy Access events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000. |
Blue Coat ProxySG | Collects events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000. |
Cisco AsyncOS Access Log | Cisco AsyncOS Access Log (Squid Format). |
Cisco Content Security and Control Security Services Module 6.1-6.2 | Collects events from Cisco Content Security and Control Security Services Module 6.1-6.2. |
Cisco Content Security and Control Security Services Module 6.3+ | Collects events from Cisco Content Security and Control Security Services Module 6.3. |
ClearSwift Secure Email Gateway | Inspection and filtering of e-mails content. |
Forcepoint TRITON AP-WEB | Collects events from Forcepoint TRITON AP-WEB. |
FortiWeb Web Application Firewall | Collects web-related events and device information from FortiWeb Web Application Firewall appliances. |
IronPort Email Security Appliance | Collects mail-related events and device information from IronPort Email Security appliances. |
IronPort Web Security | Collects web-related events and device information from IronPort Web Security appliances. |
Mail Assure | Collects events from Mail Assure email security. |
McAfee Email Gateway | Collects mail-related events and device information from McAfee Email Gateway appliances. |
McAfee Web Gateway v6.x | Collects web-related events and device information from McAfee Web Gateway v6.x and higher appliances. |
McAfee Web Gateway v7.x | Collects web-related events and device information from McAfee Web Gateway v7.x and higher appliances. |
Sonicwall Email Security | |
Sophos ES appliance | Collects events from the Sophos Email Security appliance. It should be run in conjunction with the auth connector. |
Sophos ES appliance auth | Collects events from the Sophos Email Security appliance. It should be run in conjunction with the auth connector. |
Sophos WS appliance | Collects events from the Sophos Web Security appliance. |
Squid Access Log | |
SquidGuard Access Block Log | |
St. Bernard iPrism | Collects events from iPrism Internet Filtering Appliances. |
Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access |
Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access events from SG600 and maybe for other Access running SGOS. The connector requires the following fields to be set: #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) |
Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL |
Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL events from SG600 and maybe for other SSL running SGOS. The connector requires the following fields to be set: #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk |
Symantec Web Security for Windows | |
SymantecWebGateway | Symantec Web Gateway Malware and content filtering screening device. |
Trend IWSVA Audit Log | |
Trend IWSVA URL Access Log | |
Trend IWSVA URL Block Log | |
Trend IWSVA Update Log | |
Trend IWSVA Virus Log | |
Trend-Micro IWSVA URL log | |
Websense Security Gateway Anywhere | Collects device/software events from Websense Security Gateway Anywhere appliances. |
Websense Web Filter and Websense Web Security | Collects device/software events from Websense gateways. |
Websense Web Filter and Websense Web Security Database | Collects device/software events from Websense gateways. |
Webtitan | Webtitan - Web Content Filter. |
eSafe | Collects web security and email security events from the eSafe application. |
Routers/Switches | <return to top> |
3Com Switch | Gathers events from the following 3com switches: 4400, 4500, 4500G, 4800G, 5500, 5500G, 7750, 8800, S7900E. |
AXIA Ethernet Switch | The modular broadcast control surface from Axia Audio. |
Adtran Atlas Switch | Gathers events from Adtran Atlas switches. |
Adtran NetVanta Router | Gathers events from the following series of Adtran NetVanta routers: 1300, 1500, 2000, 3100, 3200, 3300, 3400 (Modular Access and Multiservice Access), 4000, 5000, and 7100. |
Aerohive log | Aerohive SR2024 SR2024P SR2148P CVG log |
Alcatel-Lucent OmniSwitch | Collects events from Alcatel-Lucent OmniSwitch. |
Allied Telesis Routers and Switches | Collects syslog data from Allied Telesis 8600 Series Fast Ethernet Layer 3 switches, and AT-41x routers. |
Arista switches | Collects events from arista switches. |
Aruba CX switch | Collects events from Arubx CX switches. |
Aruba Wireless Access Point | Collects events from Aruba wireless access points with firmware version 2.x. |
Aruba Wireless Access Point 3x | Collects events from Aruba wireless access points with firmware version 3.0 and later. |
Aruba2930 | Aruba 2930M-24G switch. |
Aruba CX Switch | Collects events from Aruba CX switches. |
Avaya/Nortel VSP 7000 Ethernet Routing Switch | Collects events from the following Avaya/Nortel Ethernet Routing Switches: 5510, 5520, 5530-24TFD, 8600, VSP 7000. |
Blade RackSwitch | Collects events from Blade RackSwitch G8100 and G8124 10G Low Latency Switches, as well as the RackSwitch G8000 1-10G Aggregation Switch. |
Bluesocket vWLAN | Bluesocket devices Virtual Wireless LAN. |
Brocade Iron Series | Collects events from Brocade Iron Series switches and routers. |
Brocade VDX Switches | Collects events from Brocade VDX switches. |
Brocade Vyatta Router | Gathers events from Brocade Vyatta Router. |
Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform | Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform. |
Cisco CatOS | Collects events from Cisco Catalyst devices running IOS 12.2+, or CatOS 6.2+. |
Cisco Nexus NX-OS | Collects events from Cisco Nexus Switches (running NX-OS). |
Cisco Small Business 300 Series Managed Switch | Collects events from the series of Cisco Sx300 Security Appliances. |
Cisco Wireless LAN Controller and IOS-XE Software | Collects events for Cisco Wireless LAN Controllers, as well as for IOS-XE based routers/switches. |
DrayTek Vigor Series | Collects logs from DrayTek Vigor series routers. |
Dell Force10 Switch | Collects events from Dell Force10 Switch. |
Dell N Series Switches | Dell Networking N2000 Series 1GbE Layer 3 Switches. |
Dell PowerConnect Switches | Collects events from Dell J-EX4200 and J-EX8200 Ethernet switches. |
DrayTek Vigor Series | Collects logs from DrayTek Vigor series routers. |
Enterasys C-Series and N-Series Switches | Collects events from Enterasys C-Series and N-Series switches. |
Enterasys IdentiFi Wireless Controller | Collects events for Enterasys IdentiFi Wireless Controller. |
Extreme Networks VSP | Extreme Networks VSP collects events from Virtual Services Platform devices. |
Extreme Switch | Collects events from the following Extreme Networks Alpine, BlackDiamond, and Summit switches. |
Foundry | Collects events from the following Brocade FastIron switches: 1500, 400, 800, and Edge Switches 2402, 4802, and 9604. |
FreeWave | |
HP MSM700 Series Controller | Collects network traffic events, changes to the device, device issues, and authentication events from MSM wireless controller devices. |
HP ProCurve 1910-24G-PoE Switch and H3C | Collects Events for HP Procurve 1910-24G-PoE Switch, H3C and FlexFabric Switch series. |
HP ProCurve Switches Firmware F.05.65+ Zl Series | Collects events for HP ProCurve switches running Firmware version F.05.65+. |
HP Router | Gathers events from the HP 930 MSR Router. |
Hirschmann OpenRail System Compact Switch | Collects events specific to Hirschmann OpenRail System Compact Switch appliances. |
Huawei Switches | Collects events from Huawei switches. |
Juniper JUNOS | Collects events from Juniper routers and switches running JUNOS. |
Junos Pulse Gateway | Junos Pulse Gateway provides SSL/VPN, network access control, and application acceleration. |
Meru Wireless | Meru MC3200 Meru Wireless Controller. |
MetaSwitch Universal Media Gateway | Collects events from MetaSwitch Universal Media Gateway MG6050. The connector should work for other versions as well. |
Mikrotik Routers | Provides wireless ISP systems for Internet connectivity around the world. |
Motorola WLAN Controller | Collects events from Motorolla WLAN controller 4000 series appliances. |
Motorola WS2000 snmp | Gathers events from the Motorola WS2000 series switches through SNMP. |
Moxa Ethernet Switches | Collects events from Moxa ICS-67528A and EDS-G516E series Ethernet switches. |
NEC IX Router | Collects events from NEC IX Series routers. |
Netgear Switch | Collects events from Netgear switches. |
Nokia Switch | Collects events from Nokia 7750 and 7210 switches. |
Nortel Baystack | Collects events from Nortel Baystack switches. |
Nortel Contivity 200 Series | Collects events from Nortel Contivity secure IP gateways (200 series). |
Nortel Ethernet Routing Switch 4500 Series | Collects events from the Nortel Ethernet 4500 Series Routing Switches, which are now subsidiaries of Avaya. |
Nortel WLAN Security Switch | Collects events from the following Nortel WLAN Security Switches: WLAN Access Point 2330, 2330A, 2330B, 2332, 2350, 2360/2361, 2380, and 2382. |
Proxim Orinoco WAP | Collects events from the proxim Orinoco Wireless Access Point. |
QLogic Fibre Channel Switch | Collects events from QLogic Fibre Channel Switches. |
Raritan Dominion Switch | Collects events from the Raritan Dominion KVM-over-IP switches. |
Ruckus ZoneDirector Wireless LAN Controller | Collects events for Ruckus ZoneDirector Wireless LAN controllers. |
RuggedCom Switch | Collects events from the RuggedCom Switches: M2100, RST2228, and RX1500 switches. |
SilverPeak WAN Acceleration and Optimization | SilverPeak WAN Acceleration and Optimization. |
Telco Switch | Layer2 switch by Telco Systems. |
Velocloud | Collects events from the VMWare Velocloud firewall. |
Xirrus WiFi Array | Collects events from Xirrus wireless arrays. |
ZyXEL P-660HW-T | Gathers events from ZyXEL's P-660HW-T 802.11g Wireless ADSL 2+ 4-port Gateway. |
ZyXEL XGS4528F | Gathers events from ZyXEL's XGS4528F. |
Security and UTM | <return to top> |
Cyberoam UTM | Collects events from Cyberoam UTM appliances. |
Enforcive Enterprise Security | Enforcive/Enterprise Security for IBM i: access control, security, compliance and log management. |
FireEye Malware Protection System | Collects events from FireEye MPS appliance. |
FortiAuthenticator | Collects FortiAuthenticator events. |
FortiGate 2.5 | Collects events from Fortigate UTM appliances that use firmware version 2.5. |
FortiGate 2.8+ | Collects events from Fortigate UTM appliances that use firmware version 2.8 and later. |
FortiGate 300C | Collects events from Fortigate UTM appliances that use firmware version 300C. |
FortiMail Email Security Appliances | FortiMail is a complete Secure Email Gateway platform suitable for any size organization. |
McAfee Network and Security Platform (IntruShield) - deprecated |
Collects events from McAfee Network and Security Platform (IntruShield). This connector is deprecated. As an alternative, use the McAfee Network Security Manager. |
Meraki MX | Collects events from Meraki MX Security Appliance. |
Proofpoint Enterprise Protection | Protects business from email threats and other forms of objectionable or dangerous content. |
SmoothWall Unified Threat Manager | Collects events from SmoothWall UTM appliances and software. |
Sophos UTM 9 | Collects events from Sophos UTM 9 |
Sophos UTM 9 (non unix syslog timestamp) | Collects events from Sophos UTM 9 that start with date-time (format YYYY:MM:DD-HH:MM:SS) instead of unix syslog timestamp. |
WatchGuard Firebox | Outdated. Use WatchguardFirewalls.xml. |
WatchGuard Firebox X Edge E-Series | Outdated. Use WatchguardFirewalls.xml |
WatchGuard SOHO | |
WatchGuard Xcore | Outdated. Use WatchguardFirewalls.xml. |
Zscaler Web Security / Advanced Security | Zscaler protects from malware, viruses, advanced persistent threats, and other risks. It can also stop inadvertent or malicious leaks of a company's sensitive data. |
cyphort threat protection | Network-based Next Generation APT Defense. |
fireEye HX | fireEye HX |
Storage | <return to top> |
Dell Compellent storage | Collects logs from Dell Compellent Storage Area Network (SAN) controllers. |
Dell Equallogic storage area network systems | EqualLogic products are iSCSI-based storage area network systems marketed by Dell. |
HP StorageWorks Modular Smart Array | Collects device information events for StorageWorks arrays. |
IBM NetApp ONTAP | Collects device information events for NetApp appliances. |
NetApp | Gathers events from NetApp. |
NetApp ONTAP OnCommand | Collects events for ONTAP Cluster Management using OnCommand System Manager. |
Qumulo | Covers logs from Qumulo Core. |
System Scan Reporters | <return to top> |
ForeScout CounterACT NAC | |
Nessus Message | |
Nessus Report | |
Nessus Security Scanner NBE Report | |
Nessus XML Report | |
PatchLink Vulnerability | |
QualysGuard Scan Report | |
Rapid7 NeXpose Vulnerability Scanner | |
Retina | |
VPN and Remote Access | <return to top> |
Array Networks SPX | Collects events from Array Networks Secure Access Gateways. |
Azure Multi-Factor Authentication Server | Multi-Factor authentication for hybrid environments. |
Barracuda SSL VPN Connector | Collects events from Barracuda SSL VPN appliance. |
Cisco VPN | Collects events for Cisco VPN concentrators. |
Citrix Secure Access Gateway | Collects events about application access, configuration, and user monitoring from Citrix secure access gateways. |
Citrix Secure Gateway Access - XenApp Server | |
Citrix XenDesktop | |
Citrix XenServer auth log | Collects authorization events from Citrix devices. |
Citrix XenServer daemon log | Collects daemon log events from Citrix devices. |
Corente AWB | Collects events from the Corente AWB application. |
FirePass SSL VPN | Collects SSL VPN authentication and VPN access events on F5 FirePass appliances. |
Neo Accel SSL VPN | Collects SSL VPN authentication and VPN access events on Neo Accel SSL VPN appliances. |
Neoteris VPN/Juniper SA series | Collects SSL VPN authentication and VPN access events on Juniper SA series SSL VPN appliances. |
Netgear SSL VPN Concentrator SSL312 | Collects SSL VPN authentication and VPN access events on Netgear SSL VPN Concentrator appliances. |
Netilla VPN | Collects SSL VPN authentication and VPN access events on Netilla VPN appliances. |
Nortel Contivity | Collects events from the following Nortel Contivity secure IP gateways: 1000, 1750, 2700, 500, and 600. |
OpenVPN | Collects VPN-related events from devices running OpenVPN. |
Permeo VPN | Collects events from Permeo VPN appliances. |
PulseSecure |
Collects logs from Pulse Connect Secure and Pulse Policy Secure. There should be two instances of this connector. One points to the user.log facility and one to the localX.log facility. |
RemotelyAnywhere / LogMeIn | |
Riverbed Steelhead WAN Optimization | Collects events from the Riverbed Steelhead WAN Optimization appliance. |
SonicWALL Aventail SSL VPN E-Class and SMA | Collects events from Dell Aventail SSL VPN E-series and SMA (Secure Mobile Access) appliances. |
SonicWALL SSL VPN | Collects events from Dell Aventail SSL VPN appliances (NOT E-class). |
SonicWall E-Class SRA | Collects events from Dell SonicWALL E-Class Secure Remote Access appliances. |
TeamViewer | Collects TeamViewer connection logs. |
Ultra VNC | |
VMware Horizon 7 | VMware Horizon 7 |
WatchGuard Vclass | |
WatchGuard Vclass (Alarm) | |
WatchGuard Vclass (VPN) | |
pcAnywhere | |
WebServer | <return to top> |
AnyEvent | |
Apache (syslog) | Covers Apache-style logs sent through syslog (starting with the Apache Common Log format), including Fastly apache-style logs. |
Apache Access | |
Apache Access Rotating | |
Apache Error | |
Apache Error Rotating | |
Apache Tomcat isapi_redirect | |
Atlassian BitBucket Server | Atlassian BitBucket is a web-based version control repository hosting service |
EscalationAssignmentAbortedEvent | |
Guidewire |
Guidewire captures Tomcat log from Guidewire. Apache Tomcat is an open source web server/Java Servlet Container |
IIS error connector | IIS error connector. |
Incapsula Web Application Firewall | |
LanguageAssignmentEvent | |
Localhost Apache Access | |
Microsoft Forefront Threat Management Gateway 2010 Web Proxy(W3C Server file format) | Collects Microsoft Forefront Threat Management Gateway log messages from files in W3C format. |
Microsoft IIS Advanced Logging | |
Microsoft IIS Web Server 10.0 (W3C Extended file format) | |
Microsoft IIS Web Server 5.0 (W3C Extended file format) | |
Microsoft IIS Web Server 6.0 (W3C Extended file format) | |
Microsoft IIS Web Server 7.0 (W3C Extended file format) | |
Microsoft IIS Web Server 8.5 (W3C Extended file format) | |
Microsoft IIS Web Server 8.5 (W3C Extended file format) Enhanced Logging | |
MicrosoftIISLogging via Windows Event Log |
Internet Information Services logging thorugh Windows Event Log. To enable, a new key called Microsoft-IIS-Logging/Logs must be added to the following registry entry:
See this KB article for an example implemented on a different connector. |
MilestoneXProtect_C | |
MilestoneXProtect_Configuration | |
MilestoneXProtect_audit | |
NGINX Error | |
NetMotion Mobility Server_mobility events | |
NetMotion Mobility Server_nmact events | |
NetMotion Mobility Warehouse_Access events | |
NetMotion Mobility Warehouse_Error events | |
SignonEvents | |
SingleSignonEvents | |
Syncplify.Me (W3C Extended File Format) | Gathers logs from Syncplify.me (a secure sftp server) in W3C format stored locally in a flatfile. |
Tomcat ASC Config Change event | Tomcat ASC Config Change event. |
Tomcat Cluster Event | Tomcat Cluster Event. |
Tomcat Common daemon | Tomcat Common daemon. |
Webdefend-Trustwave | Web application firewall that logs events based on actions taken on web traffic to prevent attacks. |
Websphere 7 SystemOut Log |