Documentation forSecurity Event Manager

SEM connectors

Updated: January 4, 2023

Version: 1.0.0.10828

Jump to: Anti-Virus | Application | Application Switch | Data Loss Prevention | Database | E-Mail | File Transfer and Sharing | Firewalls | IAM | IDS and IPS | Manager | Network Access Control | Network Management | Network Services | Operating Systems | Physical Infrastructure | Proxies/Content Filters | Routers/Switches | Security and UTM | Storage | System Scan Reporters | VPN and Remote Access | WebServer

Anti-Virus <return to top>
AMaViS Collects syslog events from AMaViS - A Mail Virus Scanner - which filters spam. Typically used in conjunction with ClamAV connector.
AVG 7.5 Network
AVG DataCenter 7.5
AVG DataCenter 8.0
Bromium virtualization-based security catches Bromium virtualization-based security catches
ClamAV Collects events from devices where the Clam AV application has been deployed.
Command Antivirus for Windows
Command for Exchange Server
Cylance-Next Generation Anti-Virus Cylance-Next Generation Anti-Virus
ESET NOD32 syslog Collects syslog events from ESET NOD32 Server.
Enhanced Mitigation Experience Toolkit (EMET) The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
Eset Remote Administrator Connector for Eset Remote Administrator
F-Secure Anti-Virus 7
F-Secure Policy Manager Server 10 Collects F-Secure events from the Policy Manager Server H2 embedded database.
F-Secure syslog Collects events from F-Secure syslog
Forefront Endpoint Protection - AV
Forefront Security Application Log (Client Security, Exchange and Sharepoint)
Forefront Security SQL Database
Forefront Security System Log (Client Security)
FreshClam Collects events from devices using FreshClam to updated ClamAV. Recommended that this connector is used in conjunction with ClamAV connector.
Group Shield/Outbreak for Exchange Server
InoculateIT 6.0
InoculateIT 7.0+
Kaspersky Administration Kit 8
Kaspersky Administration Kit 8 - Extended version
Kaspersky Anti-Virus 10
Kaspersky Anti-Virus 6
Kaspersky Endpoint Security 11
Kaspersky Security Center
Kaspersky Security Center - Extended
Kaspersky events via Windows EventLog
Malware Bytes Management Console Malware Bytes Management Console
Malware Bytes non-syslog Malware Bytes connector non-syslog, protection-log-yyyy-mm-dd, protection-log-yyyy-mm-dd.xml
Malware bytes syslog Malwarebytes protects you against malware, ransomware, and other advanced online threats. Syslog
McAfee Access Protection
McAfee Activity Log (4.5 DAT file update)
McAfee Mail Scan
McAfee NetShield
McAfee On Access Scan v7.0
McAfee Total Protection
McAfee Update v7.0
McAfee VSC
McAfee VSH 5.0/7.0
McAfee VSH 80i
McAfee VSH 85i
McAfee VSH Home
McAfee Web Email Scan
Microsoft Security Essentials
Microsoft Windows Defender-Operational Microsoft Windows Defender is an anti-malware, identify and remove viruses, spyware and other malicious software|In order for this to work a new key by the name of Microsoft-Windows-Windows Defender/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Defender-Windows Health Center Microsoft Windows Defender is an anti-malware, identify and remove viruses, spyware and other malicious software|In order for this to work a new key by the name of Microsoft-Windows-Windows%20Defender/WHC needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here. If there are issues, delete '%20' from registry key name and from the Log File field, make sure both strings match
NOD32 Antivirus 4 Access Event
NOD32 Antivirus 4 Access Scan
NOD32 Antivirus 4 Access Threat
NOD32 Antivirus 4 SQL Event
NOD32 Antivirus 4 SQL Scan
NOD32 Antivirus 4 SQL Threat
NOD32 Antivirus 5 Access Event Collects NOD32 5 Event events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Firewall Collects NOD32 5 Firewall events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Scan Collects NOD32 5 Scan events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Threat Collects NOD32 5 Threat events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 SQL Event Collects NOD32 5 Event events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Firewall Collects NOD32 5 Firewall events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Scan Collects NOD32 5 Scan events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Threat Collects NOD32 5 Threat events from the ESET Remote Administrator SQL database.
Palo Alto Traps Palo Alto ESM Endpoint Security Manager, Anti-Virus
Panda Security for Desktops 4.02
Sophos Anti-Virus SNMP
Sophos Anti-Virus for Win2k
Sophos Enterprise 2.0 Database There was case where customer has used this with Sophos5 without problem
Sophos Enterprise 3.0 Database There was case where customer has used this with Sophos5 without problem
Sybari's Antigen 7.0 for Exchange Server 2000
Symantec Corp Antivirus
Symantec Endpoint Protection 11 Collects events from Symantec Endpoint Protection versions 11+.
Symantec Endpoint Protection Small Business Edition - Application logs Symantec Endpoint Protection Small Business Edition - Application logs
Symantec Endpoint Protection Small Business Edition - own logs In order for this to work a new key by the name of 'Symantec Endpoint Protection Client' needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Symantec Protection Engine Symantec Protection Engine.
Trend IMSS
Trend IMSS Policy
Trend IMSS Virus
Trend InterScan
Trend Micro Control Manager Covers logs from Trend Micro Control Manager and Trend Micro Apex Central (including Apex One)
Trend Office Scan
Trend ScanMail
Trend Server Protect
VIPRE 5.0
VIPRE Business - System Events 4.0
VIPRE Business 4.0
VIPRE Enterprise 3.1
Webroot Antispyware Corporate Edition 3.5
eEye Blink Professional Endpoint Protection
Application <return to top>
.Net Syslog Client Net Syslog client. Supports both RFC 3164 and RFC 5424 Syslog standards as well as UDP and encrypted TCP transports.
Application and Services Logs - CertificateServicesClient-Lifecycle-System Application and Services Logs - CertificateServicesClient-Lifecycle-System. In order for this to work a new key by the name of Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Application and Services Logs - CertificateServicesClient-Lifecycle-User Application and Services Logs - CertificateServicesClient-Lifecycle-User. In order for this to work a new key by the name of Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Atlassian JIRA
BST Enterprise Collects events from BST Enterprise
BST Enterprises BST Enterprises - Business software solution for Accouting
BlueEye Blue Eye Video management system | In order for this to work a new key by the name of Raytheon Blue Eye needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Bomgar Appliance Collects events from Bomgar remote support appliance.
Bunyan Admin/DS Logging Bunyan logging system for our NODE.JS application
Call Copy Call Copy. This product is used to record the calls and screen of the call center agents.
Cimcor CimTrak via syslog Cimcor CimTrak a File Integrity Monitoring Solution
Citrix StoreFront Delivery Services Citrix StoreFront manages the delivery of desktops and applications from XenApp and XenDesktop servers, and XenMobile servers in the data center to user devices
Cron Service Gathers messages from the Cron daemon service
DAXMonitor- Demand AnalytX monitor DAXMonitor logs to the windowsappliance logs.
Dell AppAssure Dell AppAssure reliably backs up, replicates, verifies and restores data
Dell Quest Rapid Recovery (AppAssure Logs) Dell Quest Rapid Recovery (AppAssure Logs) - Rapid Recovery backup and restore appliance. In order for this to work a new key by the name of AppAssure needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Dell Quest Rapid Recovery (Dell Logs) Dell Quest Rapid Recovery (Dell Logs) - Rapid Recovery backup and restore appliance. In order for this to work a new key by the name of Dell needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Dell Quest Rapid Recovery (Quest Logs) Dell Quest Rapid Recovery (Quest Logs) - Rapid Recovery backup and restore appliance. In order for this to work a new key by the name of Quest needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Denyhosts Gathers events from the Sourceforge Denyhosts script
Directory Synchronization
Epic Electronic Health Records System
FactoryTalk View A software is a versatile HMI application that provides a dedicated and powerful solution for machine-level operator interface devices.
Flex Teller
Hitachi JP1 Job Management Partner 1 / Automatic Job Management System Hitachi JP1 Job Management Partner 1 / Automatic Job Management System 3 messages
Hitachi JP1 Job Management Partner 1/Base Hitachi JP1 Job Management Partner 1/Base messages
Honeyd Virtual Honeypot Gathers messages from the Honeyd daemon
Hyland Workflow Timer Service Hyland Workflow Timer Service Administration is administrative interface for managing core based workflow timers|In order for this to work a new key by the name of Hyland needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-Hypervisor-Operational HyperV-Hypervisor-Operational In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-Hypervisor-Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-Integration-Admin HyperV-Integration-Admin In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-Integration-Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-SynthNic-Admin HyperV-SynthNic-Admin In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-SynthNic-Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this for a different connector is shown here.
HyperV-VMMS-Admin HyperV-VMMS-Admin In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-VMMS-Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-VMMS-Networking logs Hyper-V-VMMS-Networking windows event log coverage In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-VMMS-Networking needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-VMMS-Operational HyperV-VMMS-Operational In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-VMMS-Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
HyperV-Worker-Admin HyperV-Worker-Admin In order for this to work a new key by the name of Microsoft-Windows-Hyper-V-Worker-Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
IBM RACF and DB2 Syslog Collects syslog events from devices running RACF and DB2.
IBM RACF messages Collects events from devices running RACF.
JBoss Logging (MM/dd/yyyy HH:mm:ss) JBoss is a module for Java to do website programming. This connector covers logs that have date/time format MM/dd/yyyy HH:mm:ss
JBoss Logging ISO8601 (yyyy-MM-dd HH:mm:ss) JBoss is a module for Java to do website programming. This connector covers logs that have date/time format ISO8601 yyyy-MM-dd HH:mm:ss
Linux YUM
Log4Net
Log4j Collects Events from Log4j Applications
Luminis Access Web Servers (portals)
Luminis cp Web Servers (portals)
Made2Manage
ManageEngine Password Manager Pro Stores and Manages sensitive information
Meditech Collects application access, configuration, and user monitoring events from devices running Meditech software.
Meditech EMR Access Log
Microsoft Lync Microsoft Lync is an enterprise-ready unified communications platform. | In order for this to work a new key by the name of Lync%20Server needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows AppLocker- EXE and DLL In order for this to work a new key by the name of Microsoft-Windows-AppLocker/EXEandDLL needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows AppLocker- MSI and Script In order for this to work a new key by the name of Microsoft-Windows-AppLocker/MSIandScript needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Failover Clustering (HyperV Cluster) logs Microsoft Windows Failover Clustering (HyperV Cluster) log coverage | In order for this to work a new key by the name of Microsoft-Windows-FailoverClustering/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
OnBase enterprise information platform OnBase enterprise content services platform managing content, processes and cases|In order for this to work a new key by the name of OnBase%20Log needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Oracle Hyperion FM log Collects Windows Events from the Oracle Hyperion Financial Management Application
Oracle Linux messages log Oracle Linux messages log
Oracle WebLogic Server 12c Oracle WebLogic Server 12c - A Java EE application server. The logLocation is dependent on Server Name, it must be changed, when creating new connector.
PowerShell PowerShell is an automation platform and scripting language for Windows and Windows Server.
PowerShell 5.0 Extra logging for PowerShell 5.0. In order for this to work a new key by the name of Microsoft-Windows-PowerShell/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Print Services for Windows 7/2008(Admin) Print Services helps to share printers on a network, to centralize print server and network printer management tasks | In order for this to work a new key by the name of Microsoft-Windows-PrintService/Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Print Services for Windows 7/2008(Operational) Print Services helps to share printers on a network, to centralize print server and network printer management tasks | In order for this to work a new key by the name of Microsoft-Windows-PrintService/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
QCSI Application Log data
QCSI Data Logs
QCSI System Logs
Salient Commercial Solutions Provides agile solutions and security for IBM, Insurance and Mortgage domains.
Savant Protection Collects application-specific events from devices with Savant Protection installed on them.
Shibboleth IDP warn logs Shibboleth IDP warn logs
Subnet POWER SYSTEM - AccessServer, ApplicationServer, DataServerSQL, ApplicationServerSharePoint
Syslog-ng A separate connector for syslog-ng internal events
Verint Verint provides software and hardware products for customer engagement management, security, surveillance, and business intelligence
Wescom Resources Group's Host Gateway Windows Log
Windows Active Directory Federation Services Windows ADFS logs to different locations, In order for this connector to work logLocation should be changed to match Log Name in Event Viewer and a new key with the name same as logLocation needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Windows Active Directory Federation Services, Auditing
Windows DHCP Server 2000/2003/2008 event Log(Admin)
Windows DHCP Server 2000/2003/2008 event Log(Operational) In order for this to work a new key by the name of Microsoft-Windows-Dhcp-Server/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Windows Secure Envoy Log Windows Secure Envoy log - authentication
Windows Setup Log In order for this to work a new key by the name of Setup needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this for a different connector is shown here.
db2diag local file non-syslog db2diag local file non-syslog
vCenter vpxd 6.0 logs vCenter vpxd 6.0 logs - A piece of software, for software, hardware and applications for visualization Platform
Application Switch <return to top>
Cisco Content Services Switch Collects events from Cisco Content Services Switches.
Citrix Secure Access Gateway Enterprise Appliance / Netscaler Collects events about application access, configuration, and user monitoring from Netscalers.
ConSentry Controller Collects events from ConSentry switches.
Coyote Point Equalizer Collects events from Coyote Point Equalizer server load balancing Appliance.
F5 BigIP BSD daemon messages Collects events about services running on the F5 appliances.
F5 BigIP HTTPD specific Collects web traffic events (primarily HTTP errors and warnings) from F5 applicances.
F5 BigIP messages Collects authentication and service-related events on the F5 appliances.
F5 General BIG-IP specific messages Collects events specific to LTM (local traffic manager) and ASM (Application Security Manager) on the F5 appliances.
FireProof Collects events from FireProof application switches.
LinkProof Collects device information and connection events from LinkProof switches.
Nortel Alteon Collects events from Nortel Alteon application switches.
Radware AppDirector
Data Loss Prevention <return to top>
Bit9 Parity v5+ Syslog Collects events generated by the Bit9 Parity application control suite.
CodeGreen Content Inspection Collects content-related events generated from devices where Code Green is deployed. Should also enable the Code Green Content Inspection User connector.
CodeGreen Content Inspection user Collects events about creating and deleting users, connecting to LDAP, and settings changes from devices where Code Green is deployed. Should also enable the Code Green Content Inspection connector.
DeviceLock Audit
DeviceLock Events
EMC RecoverPoint Collects authentication and device management events from RecoverPoint and RecoverPointSE applicances.
FileSure
Forcepoint TRITON AP-DATA Collects events from Forcepoint/Websense TRITON AP-DATA and Forcepoint DLP
Microsoft Backup Operational logs In order for this to work a new key by the name of 'Microsoft-Windows-Backup/Operational' needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Data Protection Backup manager In order for this to work a new key by the name of 'DPM Backup Events' needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Data Protection Manager In order for this to work a new key by the name of 'DPM Alerts' needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
NuBridges Protect Key Manager Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.
NuBridges Protect Resource Service Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.
NuBridges Protect Token Manager Engine Collects events from NuBridges Protect Key Manager software. Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.
SecureSphere Collects events from Imperva SecureSphere Database, Web, and File security products.
SecureSphere Database Gateway 6.0 Collects events from Imperva SecureSphere Database Gateways using firmware version 6.0+.
SecureSphere System and Firewall Events 6.0 Collects events from Imperva Firewalls using firmware version 6.0+.
SecureSphere Web Application Firewall 6.0 Collects events from Imperva SecureSphere Web Application Firewall 6.0 using firmware version 6.0+.
SecureSphere v10 Collects events from Imperva SecureSphere v10.
Veeam backup and availability Veeam Backup provides backup and recovery of virtualized applications and data
Veeam endpoint backup and availability Veeam endpoint Backup provides backup and recovery of virtualized applications and data
Vericept Monitor Collects communication events from devices running Vericept Monitor software.
Websense Data Security Collects device/software events from Websense gateways.
Database <return to top>
Collects events from Postgres Database log file Collects events from Postgres Database log file.
IBM DB2 messages Collects events from DB2.
LOGbinder SQL LOGbinder for SQL Server - Connecting the SQL Server audit log to SIEM
LOGbinder SQL Security LOGbinder for SQL Server Security - Connecting the SQL Server audit log to SIEM
MS SQL Audit Events Collects Microsoft SQL Server Audit events written into Windows Application/Security Log. For more information about SQL Auditing visit SQL Server Audit (Database Engine) on Microsoft SQL doumentation.
MSSQL Application Log
MySQL Database log Monitoring MySQL uptime, connections and Error logs
MySQL database tools on Windows err log MySQL provides you with a suite of tools for developing and managing business critical applications on Windows this one covers the err log. You will need to choose the correct .err file
OpenEdge Audit
Oracle Alert Log Oracle Alert gives an immediate view of the critical activity in a database.
Oracle Auditor - Buffer - Extended version Collects Oracle Audit events via log, including table actions SELECT, INSERT, UPDATE, and DELETE
Oracle Auditor - Database
Oracle Auditor - Database - Extended Collects events from Oracle Database, including Select, Insert, Update, and Delete
Oracle Auditor - Syslog Collects Oracle Audit events via Syslog.
Oracle Auditor - Syslog - Extended version Collects Oracle Audit events via Syslog, including table actions SELECT, INSERT, UPDATE, and DELETE
Oracle Auditor - Windows
Oracle Auditor - Windows - Extended version Collects Oracle Audit events via WindowsLog, including table actions SELECT, BEGIN, INSERT, UPDATE, and DELETE
Oracle Unified Auditing system. Oracle Unified Auditing system starts with version 12c and must be set manually.
SolarWinds Log and Event Manager MSSQL Auditor MSSQL Auditor supports only SQL Server versions up to 2016. We recommend using the 'MS SQL Audit Events' connector since it supports even the newest MS SQL Server versions.
E-Mail <return to top>
IBM Domino (AIX) IBM Domino (Lotus) for AIX
LOGbinder for Exchange
Lotus Notes Webmail
Lotus Notes and Domino Server 8
Microsoft Exchange Application Log
Microsoft Exchange Event Log
Microsoft Exchange Management Log Microsoft Exchange Management Log
Microsoft Exchange Message Tracking Tracks all mail and message activity on Exchange server
File Transfer and Sharing <return to top>
Accellion Secure File Transfer using https and SFTP Accellion is an content collaboration platform that enables to seamlessly access content, and centralized access to multiple on-premises and cloud-based content systems
Axway Secure Client Collects events from Axway Secure Client
Cerberus FTP Server
CrushFTP CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users
DFS Replication Gathers Distributed File System Replication events from the DFS Replication Windows Event Log
EFT Server Enterprise Windows Application Log
FileZilla
GENE6 Secure FTP Server Security Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over internet
GENE6 Secure FTP Server Transfer Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over internet
Globalscape EFT client
Globalscape Secure FTP (W3C Extended file format)
GoAnywhere Services A secure FTP server (and optional web server) that allows trading partners and employees to connect to your system and exchange files in a secure environment
HP StorageWorks Modular Smart Array SNMP HP StorageWorks Modular Smart Array SNMP
LOGbinder for Sharepoint: LOGbinder SP log
LOGbinder for Sharepoint: LOGbndSP log
LOGbinder for Sharepoint: Security Log
MOVEit Log
MOVEit Windows Application Log
Microsoft IIS FTP Server 5+ (W3C Extended file format)
Microsoft IIS FTP Server 7.0 (W3C Extended file format)
Microsoft Offline Files Operational Microsoft Offline Files logs issues with Sync centre/offline file sync. | In order for this to work a new key by the name of Microsoft-Windows-OfflineFiles%4Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
OpenBSD FTPd Collects FTP-related events from devices running OpenBSD FTPd.
Panzura Distributed File Services The Panzura Global File System transforms cloud storage, public or private, into a high-performance, globally distributed file system
ProFTPD Access
ProFTPD Auth
Pure Storage Purity Pure Storage Purity software-defined storage and flash management purpose-built to power Pure’s shared accelerated storage
Pure-FTPd
QNAP NAS/File Server
Samba Collects file and print sharing related events from devices running Samba.
Serv-U FTP Server
Serv-U FTP Server (Never Rotate)
SmartFile Secure File Sharing and Transfer Solutions SmartFile Secure File Sharing and Transfer Solutions
Solarwinds SFTP/SCP Server Solarwinds SFTP/SCP Server is free SFTP server for reliable and secure network file transfers
Varonis DatAdvantage File Monitoring Varonis DatAdvantage monitors Network File Shares Directory services for suspicious behavior. Monitor file activity and user behavior, prevent data breaches, and make permissions management and auditing.
WS_FTP Server Corporate Collects FTP traffic analysis events, by user, source, destination, configuration, and authentication, from devices running WS_FTP.
secRMM Security Removable Media Manager
vsftpd xferlog
Firewalls <return to top>
A10 Load Balancer and Web Application Firewall Gathers events from A10 Load Balancer and A10 Web Application Firewall devices
AppWall AppWall - Web Application Firewall (WAF)
Applicure dotDefender Applicure dotDefender web application firewall
Barracuda NG Firewall (Phion Netfence)
Barracuda NG Firewall (Phion Netfence) Extended
Barracuda Web Application Firewall Collects events from Barracuda Web Application Firewall devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWeb connectors. System, Web Firewall, Access, Audit and Network Firewall logs have a new connector (BarracudaADC), please try if it does work for your case, if not then use this connector.
Borderware Firewall Collects events from Borderware (now Watchguard XCS) appliances.
Check Point Firewalls 5000 series Gathers logs from Check Point Firewalls 5000 series
CheckPoint 600 Appliances (optional) daemon.log Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log
CheckPoint 600 Appliances (optional) user.log Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log
CheckPoint 600 Appliances (required) auth.log Collects events from CheckPoint 600 Appliances. May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log
CheckPoint2200 CheckPoint2200 - security gateway providing all-in-one security solution
CheckPoint2200Kern CheckPoint2200 kern log - security gateway providing all-in-one security solution
CheckPointR80 Gathers logs from Check Point R80.20
Checkpoint Edge X Firewall Collects events from CheckPoint appliances that are running EdgeX firmware.
Checkpoint Safe@Office Firewall Collects events from CheckPoint appliances that are running the safe@office firmware.
Cisco ASA and IOS Collects events from Cisco ASA, PIX, FWSM, and ACE firewalls, as well as IOS based routers/switches.
Cisco Firesight Cisco FireSIGHT Management Center: Centralized Policy, Event, and Device Management
Cisco SA500 Series Security Appliances Collects events from the following series of Cisco SA500 Security Appliances: 540.
Clavister firewall Clavister E80 and W20 Devices are next generation firewall.
Cyberguard
D-Link DFL firewall Collects events from D-Link DFL Firewalls.
EndianUTM Endian Unified Threat Management (UTM) is set of security features integrated into an all-in-one solution
FortiClient Automated endpoint threat prevention
FortiGate 5.0+ Collects events from Fortigate UTM appliances that use firmware version 5.0 and later.
GNAT Box System Software v.3.3 Collects events from the GNAT Box UTM software firewalls OR hardware running GNAT Box v3.3 or higher.
HP Firewall Collects events from HP Firewall Appliance.
Hirschmann EAGLE System Industrial Firewall Collects events specific to Hirschmann EAGLE System Industrial Firewall/VPN-router appliances.
IBM DataPower An XML Gateway appliance which supports security/Web services and Enterprise Service Bus aspects
IP Filter Collects events from devices running IPFilter firewall software.
IPFire OpenSource Firewall Distribution A hardened Linux appliance distribution designed for use as a firewall
Incapsula Web Application Firewall via syslog Incapsula Web Application Firewall via syslog
Ingate Firewall Collects events for Ingate Firewall 1190.
Juniper Virtual Gateway Collects events from Juniper virtual gateway devices.
Juniper/NetScreen 5 Collects events from Juniper firewalls running ScreenOS version 5.0 or later.
Kerio Control Firewall Network firewall, router and leading-edge IPS.
McAfee Firewall v5.8 CEF Collects events from McAfee Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.8 or later.
McAfee ForcePoint Firewall Collects events from Forcepoint Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware.
Microsoft Forefront Threat Management Gateway 2010 Firewall (W3C Server file format) Collects Microsoft Forefront Threat Management Gateway log messages from files in the W3C format.
Microsoft ISA 2000 Firewall (ISA Server file format)
Microsoft ISA 2004 Web Proxy (ISA Server file format)
Microsoft ISA 2004 Web Proxy (W3C Server file format)
Microsoft ISA 2004/2006 Firewall (ISA Server file format)
Microsoft ISA 2004/2006 Firewall (W3C Server file format)
Microsoft ISA 2006 Web Proxy (ISA Server file format)
Microsoft ISA 2006 Web Proxy (W3C Server file format)
Microsoft ISA Firewall (W3C Extended file format)
Microsoft ISA Packet Filter (ISA Server file format)
Microsoft ISA Packet Filter (W3C Extended file format)
Microsoft ISA Server Application Log
Microsoft ISA Web Proxy (ISA Server file format)
Microsoft ISA Web Proxy (W3C Extended file format)
Microsoft Windows Firewall Advanced Security Events Microsoft Windows Firewall with Advanced Security/Firewall events. In order for this to work a new key by the name of Microsoft-Windows-Windows Firewall With Advanced Security/Firewall needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Netgear FV Series Collects events from Netgear FV series firewall appliances.
Netscreen(Juniper SRX firewall) Collects events from Juniper Netscreen firewall appliances running firmware version 4.x.
Network Box RM300 and ITPE1000 Collects events from Network Box firewall devices.
OPSEC(TM) / Check Point(TM) NG LEA Client
OPSWAT Metadefender OPSWAT Metadefender - Data sanitization (CDR), vulnerability assessment, multiple anti-malware engines, and customized security policies.
OSSEC Active Response log Add and Delete events from OSSEC active response log.
Palo Alto Networks Firewalls Collects events from Palo Alto firewalls running PanOS. For this connector to work Log Format should be set as BSD and all fields in Custom Log Format should be set to Default. Article on how to set up the logging is located here.
Sidewinder 6.1+ Firewall Collects events form the McAfee Sidewinder Firewall (Versions 6.1+).
Sidewinder Firewall Collects events form the McAfee Sidewinder Firewall (Versions pre 6.1).
SonicWall Collects events from Dell SonicWall Firewall devices.
SonicWall GMS
Sophos (Astaro) Security Gateway Collects events from the following Sophos (Astaro) Security Gateways: 110, 120, 220, 320, 425, 525, 625.
SophosXG Firewall SophosXG Firewall
StoneGate Firewall v5.3 CEF Collects events from StoneGate Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.3 or later.
Storm Shield Netasq Firewall Storm Shield Netasq Firewall
Symantec Velociraptor 1.5 Collects events from the Symantec Velociraptor Firewall version 1.5.
Symantec Velociraptor 2.0 Collects events from the Symantec Velociraptor Firewall version 2.0.
Symantec Velociraptor 3.0 Collects events from the Symantec Velociraptor Firewall version 3.0+.
Tippingpoint X505 Collects Firewall, VPN, and Web events from the Tippingpoint X-series.
Titanium Mirror Firewall Collects events for Titanium Mirror firewalls (TM0100, TM0300, TM0310, and TM1100).
Tofino Firewall LSM for Industrial Networks Collects events specific to Industrial Network and takes control of network traffic.
Trend Deep Security Collects events from devices running Trend Deep Security software.
Untangle NG Firewall Untangle NG Firewall provides network management software.
VMWare vShield Edge Firewall Gathers events from VMWare's vShield Edge Firewall
VisNetic Firewall
WatchGuard firewalls Collects events from Watchguard firewalls.
Windows Firewall
ZyXEL ZyWALL CEF Format Gathers events from ZyXEL ZyWALL CEF Format
eSoft Collects events from the following InstaGate devices: Firewall models 404, 404e, 604, 806, and ThreatWall models 250, 450, and 650.
iptables / netfilter Collects events from devices running iptables or netfilter.
pfSense Firewall/Router pfSense is an open source firewall/router computer software distribution based on FreeBSD
IAM <return to top>
BioPassword
Cisco (NAC) Network Access Control Appliance with Clean Access Manager (CAM) or Server (CAS) Software Collects events from Cisco NAC (clean access) appliances.
Cisco ACS Admin Audit
Cisco ACS Admin Audit 4.1+
Cisco ACS Backup and Restore
Cisco ACS Database Replication
Cisco ACS Database Sync
Cisco ACS Express
Cisco ACS Failed Attempts
Cisco ACS Passed Authentications
Cisco ACS RADIUS Accounting
Cisco ACS Service Monitoring
Cisco ACS TACACS+ Accounting
Cisco ACS TACACS+ Administration
Cisco ACS User Password Changes
Cisco ACS VoIP
Cisco Customer Voice Portal Application Activity Date Rotating Log Activity taken by callers when they visit an application.
Cisco Customer Voice Portal Application Activity Log Activity taken by callers when they visit an application.
Cisco Customer Voice Portal Application Admin Date Rotating Log Shows admin events for the app.
Cisco Customer Voice Portal Application Admin Log Shows admin events for the app.
Cisco Customer Voice Portal Application Error Date Rotating Log Shows system-error events for the app. Some of these result in the failure of the call.
Cisco Customer Voice Portal Application Error Log Shows system-error events for the app. Some of these result in the failure of the call.
Cisco Customer Voice Portal Global Admin Date Rotating Log Logs admin events that affect the server as a whole.
Cisco Customer Voice Portal Global Admin Log Logs admin events that affect the server as a whole.
Cisco Customer Voice Portal Global Error Date Rotating Log Logs errors that are outside the scope of one app.
Cisco Customer Voice Portal Global Error Log Logs errors that are outside the scope of one app.
Cisco Customer Voice Portal Global call Date Rotating Log Logs one row for each session (visit to one app by one call).
Cisco Customer Voice Portal Global call Log Logs one row for each session (visit to one app by one call).
Cisco Customer Voice Portal Server Startup Error Date Rotating Log Shows Global log.
Cisco Customer Voice Portal Server Startup Error Log Shows Global log.
Cisco Identity Services Engine (ISE) Automates and enforces context-aware security access to network resources.
Cisco Secure ACS 4.1 Syslog Collects events from Cisco ACS (versions 4.1 up to 5).
Cisco Secure ACS 5+ Syslog Collects events from Cisco ACS (versions 5 and up).
ClearBox Enterprise RADIUS server Collects authentication packet events from ClearBox Enterprise RADIUS Server 5.7.
Cyber-Ark Vault Collects events from the Cyber-Ark Vault Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite.
Dell Defender Dell Defender manages 2 factor and multi-factor authentication for identity storage and management
DigitalPersona Pro
Entrust Identity Guard (IDG) Entrust Identity Guard (IDG) Identity-based security software
Extreme Sentriant Collects identity and access management events from Sentriant appliances.
FreeRADIUS
FutureX Excrypt Gathers events from Hardware Security Module FutureX Excrypt SSP9000
IAS RADIUS Non-Rotating File
IAS RADIUS Rotating File
IBM Tivoli Access Manager for Operating Systems Gathers events from IBM Tivoli Access Manager for Operating Systems
Imprivata Appliance Imprivata is used to manage single-sign-on behavior, multi-factor authentication, and related authentication behavior for applications
Juniper SBR authentication accepts report log
Juniper SBR authentication accepts report log
Juniper SBR authentication rejects report log
Juniper SBR authentication rejects report log
KEMP Kern Log KEMP load balancer kernel log
ManageEngine Password Manager Pro SNMP
Microsoft Azure AD Password Protection DC Agent Admin In order for this to work a new key by the name of Microsoft-AzureADPasswordProtection-DCAgent/Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here. Microsoft Azure AD Password Protection DC Agent Admin – allows custom banned password lists and prevents users from setting passwords to known compromised passwords or passwords defined in the custom banned list.
Microsoft RRAS
Microsoft RRAS Extended NPS Log Format
Microsoft Windows Group Policy Operational In order for this to work a new key by the name of Microsoft-Windows-GroupPolicy/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here. Microsoft Windows Group Policy Operational - centralized management and configuration of operating systems, applications and users settings in an Active Directory environment
Microsoft Windows Terminal Services Gateway In order for this to work a new key by the name of Microsoft-Windows-TerminalServices-Gateway/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Terminal Services Gateway Admin In order for this to work a new key by the name of Microsoft-Windows-TerminalServices-Gateway/Admin needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Terminal Services Remote Connection Manager In order for this to work a new key by the name of Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Net Access
NetIQ Directory and Resource Administrator
Novell Identity Audit DB
OneSpan Collects events from OneSpan Authentication Server
Pleasant Password Server Pleasant Password Server is a multi-user password management tool.
PointSec PC
RSA Authentication Manager 7.1 Collects authentication events from the RSA Authentication Manager 7.1 or higher.
SafeNet Authentication Service (SAS) Windows Events Collects SafeNet Authentication Service (SAS) Windows Events. SafeNet Authentication Service is an on-premises authentication solution.
SafeNet SafeWord
Safenet Authentication service SafeNet's Authentication Service is a multifactor authentication (MFA) software product that adds supplementary security measures to standard user name/password logins for a variety of servers and services
SanDisk CMC
SecurID
SecurID Syslog Collects syslog events from RSA RSA ACE servers.
SecureAuth idP Provides infrastructure for multi-factor authentication and single sign on
Shibboleth Identity Provider Shibboleth SAML/CAS Identity management system, audit logging
SolarWinds Access Rights Manager Gathers messages from SolarWinds Access Rights Manager.
Thycotic Secret Server
TriCipher Collects events from devices running the TriCipher software.
Two-Factor Authentication For Active Directory In order for this to work a new key by the name of AuthLite Security needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Vormetric Collects file access related events, administrative activity, service activity (problems with agents, etc) from devices running Vormetric software or appliances.
Windows IAS and NPS System Log Collects messages from Windows Internet Authentication Service (IAS) and Windows Network Policy Server (NPS) via the Windows System log
Windows server netlogon debug log Netlogon is a Windows Server process that authenticates users and other services within a domain.
eDMZ Password Auto Repository Collects events from eDMZ appliances (also called Quest Privileged Password Manager).
entrust Identity-based security solutions secure governments, enterprises and financial institutions
IDS and IPS <return to top>
ActiveScout Gathers events from ForeScout's ActiveScout (CounterAct Edge) Intrusion Prevention System (IPS) device.
Cisco FirePOWER Module (Sourcefire 3D system) Cisco FirePOWER Module (Sourcefire 3D Network Defence System)
Cisco IDS/IPS v4/5.x
Cisco IPS 5+ (SDEE)
Core Network Insight Core Network Insight (formerly Damballa Failsafe) is an advanced threat detection system.
Darktrace - threat detection and classification Darktrace is threat detection and classification
Dragon IDS Collects events from Enterasys Dragon IDS/IPS appliances.
FortiSnort
GFI LANguard System Integrity Monitor 3
IBM IPS XGS Collects events from IBM Security Network Protection XGS
IBM XGS IBM XGS Intrusion Prevention System
ISS Proventia IPS
ISS RealSecure IDS
Juniper IDP 250 v5.0 Collects events from Juniper IDP 250 appliances running firmware version 5.0+.
Juniper IDP 3.x Collects events from Juniper IDP appliances running firmware version 3.x.
Juniper IDP 4.0+ Collects events from Juniper IDP appliances running firmware version 4.0+.
McAfee Network Security Manager Collects events from McAfee IPS devices.
Microsoft ATA (Advanced Threat Analytics) Microsoft ATA (Advanced Threat Analytics) - Microsoft Cloud based SIEM
NitroGuard IPS - Snort Format Collects Snort-format events from Nitroguard IPS appliances.
NitroSecurity IPS Collects Nitro-format events from Nitroguard IPS appliances.
Osiris Host Integrity Monitoring System
Radware DefensePro A real-time, behavioral based attack mitigation device
Reflex IMC Collects Intrusion events from the Reflex Security IPS.
Secure Auth (Syslog) Secure Auth collects audit events from SecureAuth IdP Appliance in syslog format.
SecureAuth Error logs Collects error and warning events from SecureAuth IDP appliances
SecureAuth Logging Audit logs Collects audit events from SecureAuth IDP appliances
SecureAuth Logging Audit logs_Rotating Collects audit events from SecureAuth IDP appliances
SecureNet IDS
Sentinel IPS Collects events from Sentinel Intrusion Protection System
Snort
Sophos Central Cloud Sophos Central Cloud Endpoint Protection
Symantec Gateway IDS Collects events from the Symantec Gateway IDS.
SyslogSnort
TippingPoint Audit and System Collects audit and system events from Tippingpoint devices.
Tippingpoint IPS 1.4 Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
Tippingpoint IPS 2.1 Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
Tippingpoint SMS Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
TopLayer Attack Mitigator Collects DOS/DDOS events from TopLayer IPS 5500 EC-Series and TopLayer IPS 5500 ES-Series appliances.
Trend Micro Deep Discovery Inspector Detect targeted attacks and targeted ransomware
Trend Micro HIDS - ossec syslog Trend Micro HIDS - Integrate OSSEC alerts of suspicious activities via syslog
Trend Micro Interscan Gateway Security Appliance Collects events from Trend Micros Interscan Gateway Security appliances.
Tripwire Enterprise Collects host and file integrity monitoring events from devices running Tripwire software.
Manager <return to top>
Debian DPKG Debian DPKG package manager log
Manager Monitor
Micro Focus Content Manager (DB Rotating) Normalizes rotating DB log data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager). Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents.
Micro Focus Content Manager (TALF) Normalizes TALF data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager). Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents.
MicrosoftWindowsRemoteManagement-Operational Windows Remote Management (WinRM) is protocol that allows hardware and OS from different vendors to interoperate|In order for this to work a new key by the name of Microsoft-Windows-WinRM%4Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
SWLEM Reports Collects Reports events from Solarwinds Log and Event Manager.
nDepth Log Storage Message
Network Access Control <return to top>
Aruba ClearPass Policy Manager The ClearPass Policy Manager simplifies network access security by optimizing policies and AAA for mobile enterprises.
Cisco Prime Security Manager Centralized tool to manage Cisco ASA 5500-X Series Next-Generation Firewalls.
Network Management <return to top>
Airwatch Airwatch Mobile Device Management
Arbor Pravail APS 2104 Used for DDOS attack detection and mitigation.
Aruba Airwave Management Platform Aruba Airwave Management Platform manages and monitors wireless environments, controllers. Detects and remediates rogues, attacks, and identifies their location
Axcient Unified Management Console (UMC)
Barracuda Load Balancer ADC Collects Load Balancer ADC events. Collects System, Web Firewall, Access, Audit and Network Firewall Logs.
Barracuda Web Security Gateway Barracuda Web Security Gateway is a spyware, malware, and virus protection for web security
Blue Coat PacketShaper Blue Coat PacketShaper helps enterprises control bandwidth cost, deliver a superior user experience and align network resources with business priorities.
Carbon Black Enterprise Response Carbon Black Enterprise Response - Real-time EDR and incident response
Cimcor CimTrak Cimcor CimTrak WTLogs
Cisco Wireless Acccess Point Collects events for Cisco Wireless Access Point.
Cisco Wireless Control System Collects events for Cisco Wireless Control System.
Cisco Wireless LAN Controller snmp trap logs Wireless Access Point for Businesses
Citrix XenMobile, Mobile management MDM, system and audit sys log. Citrix XenMobile, Mobile management MDM, system and audit sys log.
DNA OASyS DNA OASyS 7.5 by Schneider. This is a SCADA Control System. This connector covers logs from multiple files: archive.log, cleanup.log, cmxrepsvr.log, collectLog.log, DPdirect_*.log, oasErrLog.log.
DNA OASyS xosErrLog DNA OASyS 7.5 by Schneider. This is a SCADA Control System. This connector covers xosErrLog.log logs.
Dameware Remote Administration
Fujitsu iRMC Fujitsu integrated Remote Management Controller
Gemalto High Availability (HA) Log Messages Gemalto Network HSM HA-related events including HA errors, add-member and delete-member events.
HPE Intelligent Management Center (IMC) HPE Intelligent Management Center (IMC), Network Management
Juniper NSM Collects events aggregated from Juniper devices.
Lancope StealthWatch Collects network events from StealthWatch appliances.
MS Forefront Endpoint Protection MS Forefront SCCM discovers servers, desktops, tablets etc connected to a network through Active Directory to ensure security of data stored on those devices.
Microsoft Exchange High Availability Logs Microsoft Exchange High Availability Logs. In order for this to work a new key by the name of Microsoft-Exchange-HighAvailability/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
MicrosoftNetworkProfileOperational Network profiles define the attributes for the connection operation to a basic service network | In order for this to work a new key by the name of Microsoft-Windows-NetworkProfile/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
NGINX Plus web delivery platform error logs NGINX adds enterprise-ready features for HTTP, TCP, and UDP load balancing, such as session persistence, health checks, advanced monitoring, and management to give you the freedom to innovate without being constrained by infrastructure
Nagios
Radius server bundled with Windows Server 2008 and later Network Policy Server (NPS) allows to create and enforce organization-wide network access policies for connection request authentication and authorization
SecureLink Device Gateway Vendor 2FA authentication Remote Access appliance.
SolarWinds Orion and Virtualization Manager
Survalent ADMS Software automation solution Survalent ADMS is a software automation solution that provides real-time supervisory control and data acquisition for utilities
Titus Enterprise Information Protection Protect enterprise information.
Ubiquiti Wireless Acccess Point Collects events for Ubiquiti Wireless Access Point.
ePolicy Orchestrator (ePO)
ePolicy Orchestrator (ePO) 4.5+
vCenter Server is the centralized management utility for VMware. vCenter Server is the centralized management utility for VMware.
Network Services <return to top>
Array APV 1600 Array APV 1600: Application delivery controller - SSL/TLS accelerator
AudioCodes Mediant SBC Collect logs from AudioCodes Mediant Session Border Controllers (SBC)
Avaya SBC Gather logs from Avaya SBC
Barracuda Admin Collects admin events, such as changes and updates, from all Barracuda devices. Recommend using this connector along with the BarracudaWebAppFW and BarracudaWeb connectors.
Barracuda Mail Archiver Cloud-Connected Message Archiving for Efficiency and eDiscovery
Barracuda Spam Firewall Barracuda Spam and Virus Firewall manages all inbound and outbound email traffic
Bind Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed. Covers logs from Infoblox together with connector linuxdhcpd.xml.
CA's BrightStor v11.5
Calix Telecommunications Calix is a supplier of telecommunications access equipment for service providers
Cisco Network Registrar for Windows
Cisco Unified Communications Manager (CallManager) Cisco Unified Communications Manager provides services such as session management, voice, video, messaging, mobility, and web conferencing.
DHCPd Collects DHCP daemon lease grant, renewal, and location events from dhcp enabled devices. Covers logs from Infoblox together with connector bind.xml.
DNS Bind Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed.
Distil Networks Distil Networks provides bot detection and mitigation
Eaton Cooper Power Systems Power system operators with a complete suite of s/w applications to remotely manage all installed intelligent IEDs
Gemalto Luna Gemalto Luna
IIS Configuration IIS Configuration | In order for this to work a new key by the name of Microsoft-Windows-IIS-Configuration-Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
IceWarp Mail Server (Merak) IceWarp Mail Server (Merak) is a mail server
Infoblox NIOS This connector is a combination of connector bind.xml and linuxdhcpd.xml. There is nothing specific to Infoblox.
KEMP User Log KEMP load balancer user authentication log
Kemp LoadMaster Kemp LoadMaster (CEF format)
Kerio Connect Collects events from Kerio Connect mailserver
Linux Sendmail Collects mail-related events from devices running Sendmail software.
LinuxLDAP Access Gathers access messages from the LinuxLDAP server
LinuxLDAP Error Gathers error messages from the LinuxLDAP server
Locum RealTime Monitor Collects events from Locum RealTime Monitor.
Microsoft Cloud App Security Collects events from Microsoft Cloud App Security (CASB) SIEM agent via syslog. For more information visit https://www.solarwinds.com/documentation/kbloader.aspx?kb=SF20236
Microsoft Exchange Server in W3C format without Fields value Microsoft Exchange Server in W3C format without Fields value
Microsoft Windows WAS, Microsoft Sharepoint Services, vmStatsProvider, Manager Reporter 2012 services Logs
NetIQ eDirectory Authentication/Creation/Deletion events from the Novell NetIQ eDirectory services
Netskope CASB Netskope Security Cloud CASB (Cloud Access Security Broker) is cloud based software that sits between cloud service users and cloud applications and monitors all activity and enforces security policies. This connector covers syslog logs in CEF format.
Nimble SAN Collects events from Nimble SAN
Nutanix Covers logs from all Nutanix products.
OpenLDAP Collects LDAP-related events from devices running OpenLDAP.
Oracle Communications Subscriber-Aware Load Balancer and Session Border Controller (SBC) parts of Oracle ACME Oracle Communications Subscriber-Aware Load Balancer (SLB) enables scaling of capacity from SIP or IP address. Oracle Communications Session Border Controller for fixed line, mobile and over-the-top services
Oracle SD-WAN Gather logs from Oracle SD-WAN
Postfix Collects events from Postfix Mail Server.
Quest VMWare vRanger Detects errors and information from Quest Software's vRanger Pro and Standard Edition
Redline Covers logs from Redline devices including RDL-3000
Riverbed/Brocade Stingray It's a traffic manager/load balancer. It logs to syslog traffic rule violation, system amendments and so on.
SafeNet DataSecure Certificate Server Collects events from the SafeNet DataSecure i450 appliance.
Semafone
SolarWinds Web Help Desk IT Services and Asset management software
Symantec Backup Exec System Recovery
Symmetricom SyncServer Collects events from Symmetricon SyncServer series (including S100, S200, S250, S300, S350, and S350 SAASM) devices.
Synology cloud software Synology creates network-attached storage (NAS), IP surveillance solutions, and network equipment
TACACS+ server based on Cisco engineering release Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services.
WatchGuard Extensible Content Security (XCS) auth log Collects authorization events from WatchGuard devices. This also requires the configuration of OpenSSH and PAM to watch the same logfile to capture everything.
WatchGuard Extensible Content Security (XCS) syslog Collects syslog events from WatchGuard devices.
Windows DHCP Server 2000
Windows DHCP Server 2000/2003/2008 System Log
Windows DHCP Server 2003 and 2008
Windows DNS-Server-Analytical Analytical log from Windows DNS Servers. In order for this to work a new key by the name of Microsoft-Windows-DNSServer-Analytical needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Windows Server 2008 Log
named bind Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed.
smnpd daemon messages Collects events from various applications running the snmp daemon.
Operating Systems <return to top>
AIX Audit
AIX Syslog Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running the IBM AIX operating system.
Debian 8.8 kern logs Debian 8.8 kern logs
Debian v8.8 Debian v8.8 logs
FireEye Operating System Collects events from FireEye Operating System.
FreeBSD Authentication Collects authentication events from devices running FreeBSD. This also requires the configuration of OpenSSH and PAM to watch the same logfile to capture everything
HP OpenVMS 8+ Collects OS events for devices running OpenVMS 8 or later.
HP-ux Syslog Collects OS access, configuration, user monitoring, and VM monitoring events from devices running HP-UX.
Legacy TriGeo Agent AS400 Tool Collects auditing events from IBM AS400 appliances running Trigeo AS400 software.
Linux Auditd Linux Auditd (non-syslog)
Linux PAM Collects authentication events from devices running PAM software.
Linux PAM command Collects authentication events from devices running PAM software.
Linux command line logging
Linux syslog events Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running the RedHat and other linux distributions.
LogAgent for OS400 (Patrick Townsend Security Solutions) Collects OS auditing information from IBM OS400 appliances (now called System I).
Mac OS X (crashreporter)
Mac OS X (install) Collects software installation events from devices running Mac OSX.
Mac OS X (mail) Collects mail traffic events from devices running Mac OSX.
Mac OS X (ppp)
Mac OS X (secure) Collects authentication, account, and group information events from devices running Mac OSX.
Mac OS X (system) Collects system-level events from devices running Mac OSX.
Microsoft Cluster Services events In order for this to work a new key by the name of Microsoft-Windows-FailoverClustering/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Sysmon Microsoft Sysmon product is used to log and monitor processes. In order for this to work a new key by the name of Microsoft-Windows-Sysmon/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here https://support.solarwinds.com/SuccessCenter/s/article/How-To-configure-a-Windows-Sysmon-connector-on-a-LEM-appliance
Microsoft Windows NTLM In order for this to work a new key by the name of Microsoft-Windows-NTLM/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Task Scheduler Microsoft Windows Task Scheduler for Vista/7/2008 and beyond | In order for this to work a new key by the name of Microsoft-Windows-TaskScheduler/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Microsoft Windows Terminal Services Local Session Manager The Microsoft-Windows-TerminalServices-LocalSessionManager component is responsible for starting the computer and implementing Windows Fast User Switching (FUS)|In order for this to work a new key by the name of Microsoft-Windows-TerminalServices-LocalSessionManager/Operational needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
MobileIron Assemble Mobile Data Security and Device Management for Enterprises
MobileIron VSP Mobile Data Security and Device Management for Enterprises
Novell Netware 4.1 - 5.3
Novell Netware 6.5
Novell Netware 6.5 (Database)
Novell Netware 6.5 File
Open SSH Collects authentication events from devices running Open SSH.
Oracle Linux secure logs Oracle Linux secure logs
PowerTech Interact Collects OS auditing information from IBM OS400 appliances (now called System I).
SELinux Collects events from devices running SELinux.
Solaris 10 BSM Auditing Collects events from Solaris 10 servers running the Basic Security Module.
Solaris 10 Snare Auditing
Solaris 11 Collects events from Solaris 11 operating system
Solaris 8 and 9 Snare Auditing
VMWare ESX esxcfg-firewall log
VMWare ESX hostd log
VMWare ESX messages log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors
VMWare ESX secure log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors
VMWare ESX vmkernel log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMWare ESX vmkwarning log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMWare ESXi Hostd log Collects events from VMWare ESXi, to be run in conjunction with ESXi Messages, ESXi Hostd, and ESXi vmkernel connectors.
VMWare ESXi messages log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors
VMWare ESXi vmkernel log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
Windows Application - Syslog Windows Application logs via Syslog
Windows Application Log
Windows DNS Server Audit Log In order for this to work a new key by the name of Microsoft-Windows-DNSServer/Audit needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
Windows DNS Server Log
Windows DNS Traffic Log
Windows Directory Service Log
Windows File Integrity Monitoring (FIM) File and Directory Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for files and directories on Windows servers and workstations. Configure files and directories or dynamic patterns of files and directories to monitor and types of changes to monitor for each configured file/directory. To learn how to configure FIM on Linux, visit https://thwack.solarwinds.com/docs/DOC-190279
Windows File Integrity Monitoring (FIM) Registry Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for registry keys and folders on Windows servers and workstations. Configure registry keys and folders or dynamic patterns of registry keys and folders to monitor and types of changes to monitor for each configured key/folder. To learn how to configure FIM on Linux, visit https://thwack.solarwinds.com/docs/DOC-190279
Windows File Replication Service
Windows Filtering Platform Events
Windows NT/2000/XP Security Log
Windows Security - Syslog Windows Security logs via Syslog
Windows Security Log Windows Security logs (Windows 2008 and newer)
Windows System - Syslog Windows System logs via Syslog
Windows System Log
iSecurity CEF Collects audit logs from iSecurity developed by RazLee
iSecurity for OS400 (Raz-Lee)
linuxauditd (syslog) Normalizes linux audit logs from syslog format into SEM
sudo Collects events from various applications running the sudo.
sudo syslog Collects events from various applications running the sudo.
Physical Infrastructure <return to top>
APC InfraStruXure Gathers power monitoring events from InfraStuXure racks and UPS Network Management Cards. Covers also syslog events from Netbotz devices.
APC Netbotz Gathers non-syslog events from APC Netbotz devices.
Dell DRAC Dell Access Card for Remote Administration
Dell Server Administrator Gathers Storage Management and System Events for Dell Server Administrator from the Windows Application Event Log
EMCUnity Dell EMC Unity Storage array
Fujitsu Blade Servers Fujitsu Blade Servers
Fujitsu Storage ETERNUS Fujitsu Storage ETERNUS consolidates data for server virtualization, e-mail, databases and business applications as well as centralized file services.
Grandstream Gateway Grandstream Analog VoIP Gateway integrates traditional phone systems into a VoIP network and manage communication.
HP BladeSystem Enclosure auth log Collects authorization events from HP BladeSystem enclosures.
HP BladeSystem Enclosure local log Collects authorization events from HP BladeSystem enclosures.
HP Printer Collects events from HP Color LaserJet Enterprise M750 Printer series.
HP Proliant iLO 4 HP Proliant iLO 4 and later - Light-out blade management
HPE 3PAR StoreServ Hawlett Packard Enterprise 3PAR StoreServ
Hitachi AMS Collects events from Hitachi Adaptable Modular Storage devices.
JACO CartCare
Tripp Lite SNMPWEBCARD Collects events from Tripp Lite SNMPWEBCARD
TrippLitePDU TrippLitePDU is network power distribution unit distributing power supplied to the rack
Proxies/Content Filters <return to top>
Actiance Unified Security Gateway Collects events from Unified Security Gateway appliances.
Barracuda Web Filter Collects Web traffic analysis events, by user, source, destination, configuration, and authentication, from Barracuda devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWebAppFV connectors.
Blue Coat Proxy SG web access Collects Web Proxy Access events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000.
Blue Coat ProxySG Collects events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000.
Cisco AsyncOS Access Log Cisco AsyncOS Access Log (Squid Format)
Cisco Content Security and Control Security Services Module 6.1-6.2 Collects events from Cisco Content Security and Control Security Services Module 6.1-6.2.
Cisco Content Security and Control Security Services Module 6.3+ Collects events from Cisco Content Security and Control Security Services Module 6.3.
ClearSwift Secure Email Gateway Inspection and filtering of e-mails content
Forcepoint TRITON AP-WEB Collects events from Forcepoint TRITON AP-WEB
FortiWeb Web Application Firewall Collects web-related events and device information from FortiWeb Web Application Firewall appliances.
IronPort Email Security Appliance Collects mail-related events and device information from IronPort Email Security appliances.
IronPort Web Security Collects web-related events and device information from IronPort Web Security appliances.
Mail Assure Collects events from Mail Assure email security.
McAfee Email Gateway Collects mail-related events and device information from McAfee Email Gateway appliances.
McAfee Web Gateway v6.x Collects web-related events and device information from McAfee Web Gateway v6.x and higher appliances.
McAfee Web Gateway v7.x Collects web-related events and device information from McAfee Web Gateway v7.x and higher appliances.
Sonicwall Email Security
Sophos ES appliance Collects events from the Sophos Email Security applicance, should be run in conjunction with the auth connector.
Sophos ES appliance auth Collects events from the Sophos Email Security applicance, should be run in conjunction with the auth connector.
Sophos WS appliance Collects events from the Sophos Web Security appliance.
Squid Access Log
SquidGuard Access Block Log
St. Bernard iPrism Collects events from iPrism Internet Filtering Appliances.
Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access events from SG600 and maybe for other Access running SGOS. Connector requires the following fields to be set. #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata)
Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL events from SG600 and maybe for other SSL running SGOS. Connector requires the following fields to be set. #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk
Symantec Web Security for Windows
SymantecWebGateway Symantec Web Gateway Malware and content filtering screening device
Trend IWSVA Audit Log
Trend IWSVA URL Access Log
Trend IWSVA URL Block Log
Trend IWSVA Update Log
Trend IWSVA Virus Log
Trend-Micro IWSVA URL log
Websense Security Gateway Anywhere Collects device/software events from Websense Security Gateway Anywhere appliances.
Websense Web Filter and Websense Web Security Collects device/software events from Websense gateways.
Websense Web Filter and Websense Web Security Database Collects device/software events from Websense gateways.
Webtitan Webtitan - Web Content Filter
eSafe Collects web security and email security events from eSafe application.
Routers/Switches <return to top>
3Com Switch Gathers events from the following 3com switches: 4400, 4500, 4500G, 4800G, 5500, 5500G, 7750, 8800, S7900E.
AXIA Ethernet Switch The modular broadcast control surface from Axia Audio.
Adtran Atlas Switch Gathers events from Adtran Atlas switches.
Adtran NetVanta Router Gathers events from the following series of Adtran NetVanta routers: 1300, 1500, 2000, 3100, 3200, 3300, 3400 (Modular Access and Multiservice Access), 4000, 5000, and 7100.
Aerohive log Aerohive SR2024 SR2024P SR2148P CVG log
Alcatel-Lucent OmniSwitch Collects events from Alcatel-Lucent OmniSwitch.
Allied Telesis Routers and Switches Collects syslog data from Allied Telesis 8600 Series Fast Ethernet Layer 3 switches, and AT-41x routers.
Arista switches Collects events from arista switches.
Aruba Wireless Access Point Collects events from Aruba wireless access points with firmware version 2.x.
Aruba Wireless Access Point 3x Collects events from Aruba wireless access points with firmware version 3.0 and later.
Aruba2930 Aruba 2930M-24G switch
Avaya/Nortel VSP 7000 Ethernet Routing Switch Collects events from the following Avaya/Nortel Ethernet Routing Switches: 5510, 5520, 5530-24TFD, 8600, VSP 7000.
Blade RackSwitch Collects events from Blade RackSwitch G8100 and G8124 10G Low Latency Switches, as well as the RackSwitch G8000 1-10G Aggregation Switch.
Bluesocket vWLAN Bluesocket devices Virtual Wireless LAN
Brocade Iron Series Collects events from Brocade Iron Series switches and routers.
Brocade VDX Switches Collects events from Brocade VDX switches.
Brocade Vyatta Router Gathers events from Brocade Vyatta Router
Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform
Cisco CatOS Collects events from Cisco Catalyst devices running IOS 12.2+, or CatOS 6.2+.
Cisco Nexus NX-OS Collects events from Cisco Nexus Switches (running NX-OS).
Cisco Small Business 300 Series Managed Switch Collects events from the series of Cisco Sx300 Security Appliances
Cisco Wireless LAN Controller and IOS-XE Software Collects events for Cisco Wireless LAN Controllers, as well as for IOS-XE based routers/switches.
Dell Force10 Switch Collects events from Dell Force10 Switch.
Dell N Series Switches Dell Networking N2000 Series 1GbE Layer 3 Switches
Dell PowerConnect Switches Collects events from Dell J-EX4200 and J-EX8200 Ethernet switches.
Enterasys C-Series and N-Series Switches Collects events from Enterasys C-Series and N-Series switches.
Enterasys IdentiFi Wireless Controller Collects events for Enterasys IdentiFi Wireless Controller.
Extreme Networks VSP Extreme Networks VSP collects events from Virtual Services Platform devices.
Extreme Switch Collects events from the following Extreme Networks Alpine, BlackDiamond, and Summit switches.
Foundry Collects events from the following Brocade FastIron switches: 1500, 400, 800, and Edge Switches 2402, 4802, and 9604.
FreeWave
HP MSM700 Series Controller Collects network traffic events, changes to the device, device issues, and authentication events from MSM wireless controller devices.
HP ProCurve 1910-24G-PoE Switch and H3C Collects Events for HP Procurve 1910-24G-PoE Switch, H3C and FlexFabric Switch series
HP ProCurve Switches Firmware F.05.65+ Zl Series Collects events for HP ProCurve switches running Firmware version F.05.65+.
HP Router Gathers events from the HP 930 MSR Router.
Hirschmann OpenRail System Compact Switch Collects events specific to Hirschmann OpenRail System Compact Switch appliances.
Huawei Switches Collects events from Huawei switches.
Juniper JUNOS Collects events from Juniper routers and switches running JUNOS.
Junos Pulse Gateway Junos Pulse Gateway provides SSL/VPN, network access control, and application acceleration.
Meru Wireless Meru MC3200 Meru Wireless Controller
MetaSwitch Universal Media Gateway Collects events from MetaSwitch Universal Media Gateway MG6050 and it will most likely work for other versions as well
Mikrotik Routers Provides wireless ISP systems for Internet connectivity around the world.
Motorola WLAN Controller Collects events from Motorolla WLAN controller 4000 series appliances.
Motorola WS2000 snmp Gathers events from the Motorola WS2000 series switches via SNMP
NEC IX Router Collects events from NEC IX Series routers.
Netgear Switch Collects events from Netgear switches.
Nortel Baystack Collects events from Nortel Baystack switches.
Nortel Contivity 200 Series Collects events from Nortel Contivity secure IP gateways (200 series).
Nortel Ethernet Routing Switch 4500 Series Collects events from the following Nortel Ethernet Routing Switches, 4500 Series which are now subsidiaries of Avaya.
Nortel WLAN Security Switch Collects events from the following Nortel WLAN Security Switches: WLAN Access Point 2330, 2330A, 2330B, 2332, 2350, 2360/2361, 2380, 2382.
Proxim Orinoco WAP Collects events from the proxim Orinoco Wireless Access Point.
QLogic Fibre Channel Switch Collects events from QLogic Fibre Channel Switches.
Raritan Dominion Switch Collects events from the Raritan Dominion KVM-over-IP switches.
Ruckus ZoneDirector Wireless LAN Controller Collects events for Ruckus ZoneDirector Wireless LAN Controllers.
RuggedCom Switch Collects events from the following RuggedCom Switches: M2100, RST2228, RX1500.
SilverPeak WAN Acceleration and Optimization SilverPeak WAN Acceleration and Optimization
Telco Switch Layer2 switch by Telco Systems
Xirrus WiFi Array Collects events from Xirrus wireless arrays.
ZyXEL P-660HW-T Gathers events from ZyXEL's P-660HW-T 802.11g Wireless ADSL 2+ 4-port Gateway
ZyXEL XGS4528F Gathers events from ZyXEL's XGS4528F
Security and UTM <return to top>
Cyberoam UTM Collects events from Cyberoam UTM appliances.
Enforcive Enterprise Security Enforcive/Enterprise Security for IBM i: access control, security, compliance and log management
FireEye Malware Protection System Collects events from FireEye MPS Appliance.
FortiGate 2.5 Collects events from Fortigate UTM appliances that use firmware version 2.5.
FortiGate 2.8+ Collects events from Fortigate UTM appliances that use firmware version 2.8 and later.
FortiGate 300C Collects events from Fortigate UTM appliances that use firmware version 300C.
FortiMail Email Security Appliances FortiMail is a complete Secure Email Gateway platform suitable for any size organization
McAfee Network and Security Platform (IntruShield) - deprecated Collects events from McAfee Network and Security Platform (IntruShield). This connector is deprecated, please use 'McAfee Network Security Manager' instead.
Meraki MX Collects events from Meraki MX Security Appliance.
Proofpoint Enterprise Protection Protects business from email threats and other forms of objectionable or dangerous content.
SmoothWall Unified Threat Manager Collects events from SmoothWall UTM appliances and software.
Sophos UTM 9 Collects events from Sophos UTM 9
Sophos UTM 9 (non unix syslog timestamp) Collects events from Sophos UTM 9 that start with date-time (format YYYY:MM:DD-HH:MM:SS) instead of unix syslog timestamp.
WatchGuard Firebox Outdated - use WatchguardFirewalls.xml
WatchGuard Firebox X Edge E-Series Outdated - use WatchguardFirewalls.xml
WatchGuard SOHO
WatchGuard Xcore Outdated - use WatchguardFirewalls.xml
Zscaler Web Security / Advanced Security Zscaler protects from malware, viruses, advanced persistent threats and other risks and can also stop inadvertent or malicious leaks of company's sensitive data.
cyphort threat protection Network-based Next Generation APT Defense.
fireEye HX fireEye HX
Storage <return to top>
Dell Compellent storage Collects logs from Dell Compellent Storage Area Network (SAN) controllers.
Dell Equallogic storage area network systems EqualLogic products are iSCSI-based storage area network systems marketed by Dell.
HP StorageWorks Modular Smart Array Collects device information events for StorageWorks arrays.
IBM NetApp ONTAP Collects device information events for NetApp appliances.
NetApp Gathers events from NetApp
NetApp ONTAP OnCommand Collects events for ONTAP Cluster Management using OnCommand System Manager.
Qumulo Covers logs from Qumulo Core
System Scan Reporters <return to top>
ForeScout CounterACT NAC
Nessus Message
Nessus Report
Nessus Security Scanner NBE Report
Nessus XML Report
PatchLink Vulnerability
QualysGuard Scan Report
Rapid7 NeXpose Vulnerability Scanner
Retina
VPN and Remote Access <return to top>
Array Networks SPX Collects events from Array Networks Secure Access Gateways.
Azure Multi-Factor Authentication Server Multi-Factor authentication for hybrid environments
Barracuda SSL VPN Connector Collects events from Barracuda SSL VPN appliance.
Cisco VPN Collects events for Cisco VPN concentrators.
Citrix Secure Access Gateway Collects events about application access, configuration, and user monitoring from Citrix secure access gateways.
Citrix Secure Gateway Access - XenApp Server
Citrix XenDesktop
Citrix XenServer auth log Collects authorization events from Citrix devices.
Citrix XenServer daemon log Collects daemon log events from Citrix devices.
Corente AWB Collects events from the Corente AWB application.
FirePass SSL VPN Collects SSL VPN authentication and VPN access events on F5 FirePass applicances.
Neo Accel SSL VPN Collects SSL VPN authentication and VPN access events on Neo Accel SSL VPN applicances.
Neoteris VPN/Juniper SA series Collects SSL VPN authentication and VPN access events on Juniper SA series SSL VPN applicances.
Netgear SSL VPN Concentrator SSL312 Collects SSL VPN authentication and VPN access events on Netgear SSL VPN Concentrator applicances.
Netilla VPN Collects SSL VPN authentication and VPN access events on Netilla VPN applicances.
Nortel Contivity Collects events from the following Nortel Contivity secure IP gateways: 1000, 1750, 2700, 500, and 600.
OpenVPN Collects VPN-related events from devices running OpenVPN.
Permeo VPN Collects events from Permeo VPN appliances.
PulseSecure Pulse Secure collects logs from Pulse Connect Secure and Pulse Policy Secure. There should be created 2 instances of this connector, one pointing to user.log facility and one for localX.log facility.
RemotelyAnywhere / LogMeIn
Riverbed Steelhead WAN Optimization Collects events from Riverbed Steelhead WAN Optimization Appliance.
SonicWALL Aventail SSL VPN E-Class and SMA Collects events from Dell Aventail SSL VPN E-series and SMA (Secure Mobile Access) appliances.
SonicWALL SSL VPN Collects events from Dell Aventail SSL VPN appliances (NOT E-class).
SonicWall E-Class SRA Collects events from Dell SonicWALL E-Class Secure Remote Access appliances.
Ultra VNC
VMware Horizon 7 VMware Horizon 7
WatchGuard Vclass
WatchGuard Vclass (Alarm)
WatchGuard Vclass (VPN)
pcAnywhere
WebServer <return to top>
AnyEvent
Apache (syslog) Covers Apache-style logs sent via syslog (starting with the Apache Common Log format), including Fastly apache-style logs.
Apache Access
Apache Access Rotating
Apache Error
Apache Error Rotating
Apache Tomcat isapi_redirect
Atlassian BitBucket Server Atlassian BitBucket is a web-based version control repository hosting service
EscalationAssignmentAbortedEvent
Guidewire Guidewire captures Tomcat log from Guidewire. Apache Tomcat is an open source web server/Java Servlet Container
IIS error connector IIS error connector
Incapsula Web Application Firewall
LanguageAssignmentEvent
Localhost Apache Access
Microsoft Forefront Threat Management Gateway 2010 Web Proxy(W3C Server file format) Collects Microsoft Forefront Threat Management Gateway log messages from files in the W3C format.
Microsoft IIS Advanced Logging
Microsoft IIS Web Server 10.0 (W3C Extended file format)
Microsoft IIS Web Server 5.0 (W3C Extended file format)
Microsoft IIS Web Server 6.0 (W3C Extended file format)
Microsoft IIS Web Server 7.0 (W3C Extended file format)
Microsoft IIS Web Server 8.5 (W3C Extended file format)
Microsoft IIS Web Server 8.5 (W3C Extended file format) Enhanced Logging
MicrosoftIISLogging via Windows Event Log Internet Information Services logging via Windows Event Log | In order for this to work a new key by the name of Microsoft-IIS-Logging/Logs needs to be added to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog An example of this is for a different connector is shown here.
MilestoneXProtect_C
MilestoneXProtect_Configuration
MilestoneXProtect_audit
NGINX Error
NetMotion Mobility Server_mobility events
NetMotion Mobility Server_nmact events
NetMotion Mobility Warehouse_Access events
NetMotion Mobility Warehouse_Error events
SignonEvents
SingleSignonEvents
Syncplify.Me (W3C Extended File Format) Gather logs from Syncplify.me (secure sftp server) in W3C format stored locally - flatfile.
Tomcat ASC Config Change event Tomcat ASC Config Change event
Tomcat Cluster Event Tomcat Cluster Event
Tomcat Common daemon Tomcat Common daemon
Webdefend-Trustwave Web application firewall, logs events based on actions taken on web traffic in order to prevent attacks.
Websphere 7 SystemOut Log