Documentation forSecurity Event Manager

SEM connectors

Updated: May 13, 2024

SEM connectors intercept events sent from a specific product in your network and convert these events into normalized messages that SEM can understand.

See Collect and normalize event data using SEM connectors for details on how to apply a SEM connector update package and set up the SEM connectors.

SEM connector categories

Listed below are the categories of network security products that can connect to SEM. Click a category to review all current connectors available for the selected category. See SEM connector categories for a description of each category.

Jump to: Anti-Virus | Application | Application Switch | Data Loss Prevention | Database | E-Mail | File Transfer and Sharing | Firewalls | IAM | IDS and IPS | Manager | Network Access Control | Network Management | Network Services | Operating Systems | Physical Infrastructure | Proxies/Content Filters | Routers/Switches | Security and UTM | Storage | System Scan Reporters | VPN and Remote Access | WebServer

Anti-Virus <return to top>
AMaViS Collects syslog events from AMaViS. This product is a mail virus scanner that filters spam. Typically used in conjunction with the ClamAV connector.
AVG 7.5 Network
AVG DataCenter 7.5
AVG DataCenter 8.0
Bromium virtualization-based security catches Bromium virtualization-based security catches.
ClamAV Collects events from devices where the Clam AV application has been deployed.
Command Antivirus for Windows
Command for Exchange Server
Cylance-Next Generation Anti-Virus Cylance-Next Generation Anti-Virus.
ESET NOD32 syslog Collects syslog events from ESET NOD32 Server.
Enhanced Mitigation Experience Toolkit (EMET)

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited.

EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an author must defeat to exploit software vulnerabilities.

These security mitigation technologies do not guarantee that the vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

Eset Remote Administrator Connector for Eset Remote Administrator.
F-Secure Anti-Virus 7
F-Secure Policy Manager Server 10 Collects F-Secure events from the Policy Manager Server H2 embedded database.
F-Secure syslog Collects events from the F-Secure syslog.
Forefront Endpoint Protection - AV
Forefront Security Application Log (Client Security, Exchange and Sharepoint)
Forefront Security SQL Database
Forefront Security System Log (Client Security)
FreshClam

Collects events from devices using FreshClam to updated ClamAV.

It is recommended that this connector is used in conjunction with the ClamAV connector.

Group Shield/Outbreak for Exchange Server
InoculateIT 6.0
InoculateIT 7.0+
Kaspersky Administration Kit 8
Kaspersky Administration Kit 8 - Extended version
Kaspersky Anti-Virus 10
Kaspersky Anti-Virus 6
Kaspersky Endpoint Security 11
Kaspersky Security Center
Kaspersky Security Center - Extended
Kaspersky events via Windows EventLog
Malware Bytes Management Console Malware Bytes Management Console.
Malware Bytes non-syslog Malware Bytes connector non-syslog, protection-log-yyyy-mm-dd, protection-log-yyyy-mm-dd.xml.
Malware bytes syslog Malwarebytes protects you against malware, ransomware, and other advanced online threats.
McAfee Access Protection
McAfee Activity Log (4.5 DAT file update)
McAfee Mail Scan
McAfee NetShield
McAfee On Access Scan v7.0
McAfee Total Protection
McAfee Update v7.0
McAfee VSC
McAfee VSH 5.0/7.0
McAfee VSH 80i
McAfee VSH 85i
McAfee VSH Home
McAfee Web Email Scan
Microsoft Security Essentials
Microsoft Windows Defender-Operational

Microsoft Windows Defender is an anti-malware application that identifies and removes viruses, spyware, and other malicious software.

To enable, a new key called Microsoft-Windows-Windows Defender/Operational needs to be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Defender-Windows Health Center

Microsoft Windows Defender is an anti-malware application that identifies and removes viruses, spyware, and other malicious software.

To enable, a new key by the name of Microsoft-Windows-Windows%20Defender/WHC must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

If there are issues, delete '%20' from the registry key name and Log File field. Make sure that both strings match.

NOD32 Antivirus 4 Access Event
NOD32 Antivirus 4 Access Scan
NOD32 Antivirus 4 Access Threat
NOD32 Antivirus 4 SQL Event
NOD32 Antivirus 4 SQL Scan
NOD32 Antivirus 4 SQL Threat
NOD32 Antivirus 5 Access Event Collects NOD32 5 Event events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Firewall Collects NOD32 5 Firewall events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Scan Collects NOD32 5 Scan events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 Access Threat Collects NOD32 5 Threat events from the ESET Remote Administrator MS Access database.
NOD32 Antivirus 5 SQL Event Collects NOD32 5 Event events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Firewall Collects NOD32 5 Firewall events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Scan Collects NOD32 5 Scan events from the ESET Remote Administrator SQL database.
NOD32 Antivirus 5 SQL Threat Collects NOD32 5 Threat events from the ESET Remote Administrator SQL database.
Palo Alto Traps Palo Alto ESM Endpoint Security Manager, Anti-Virus.
Panda Security for Desktops 4.02
Sophos Anti-Virus SNMP
Sophos Anti-Virus for Win2k
Sophos Enterprise 2.0 Database  
Sophos Enterprise 3.0 Database  
Sybari's Antigen 7.0 for Exchange Server 2000
Symantec Corp Antivirus
Symantec Endpoint Protection 11 Collects events from Symantec Endpoint Protection versions 11 and later.
Symantec Endpoint Protection Small Business Edition - Application logs Symantec Endpoint Protection Small Business Edition - Application logs.
Symantec Endpoint Protection Small Business Edition - own logs

To enable, a new key called 'Symantec Endpoint Protection Client must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Symantec Protection Engine Symantec Protection Engine.
Trend IMSS
Trend IMSS Policy
Trend IMSS Virus
Trend InterScan
Trend Micro Control Manager Covers logs from Trend Micro Control Manager and Trend Micro Apex Central (including Apex One).
Trend Office Scan
Trend ScanMail
Trend Server Protect
VIPRE 5.0
VIPRE Business - System Events 4.0
VIPRE Business 4.0
VIPRE Enterprise 3.1
Webroot Antispyware Corporate Edition 3.5
eEye Blink Professional Endpoint Protection
Application <return to top>
.Net Syslog Client Net Syslog client. Supports both RFC 3164 and RFC 5424 Syslog standards, as well as UDP and encrypted TCP transports.
Application and Services Logs - CertificateServicesClient-Lifecycle-System

Application and Services Logs - CertificateServicesClient-Lifecycle-System.

To enable, a new key called Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Application and Services Logs - CertificateServicesClient-Lifecycle-User

Application and Services Logs - CertificateServicesClient-Lifecycle-User.

To enable, a new key called Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Atlassian JIRA
BST Enterprise Collects events from BST Enterprise.
BST Enterprises BST Enterprises - Business software solution for Accounting.
BlueEye

Blue Eye Video management system.

To enable, a new key called Raytheon Blue Eye must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Bomgar Appliance Collects events from Bomgar remote support appliance.
Bunyan Admin/DS Logging Bunyan logging system for our NODE.JS application.
Call Copy

Records the calls and screen of the call center agents.

Cimcor CimTrak via syslog Cimcor CimTrak is a file integrity monitoring solution.
Citrix StoreFront Delivery Services Manages the delivery of desktops and applications from XenApp and XenDesktop servers and XenMobile servers in the data center to user devices.
Cron Service Gathers messages from the Cron daemon service.
DAXMonitor- Demand AnalytX monitor Logs to the windowsappliance logs.
Dell AppAssure Dell AppAssure reliably backs up, replicates, verifies and restores data.
Dell Quest Rapid Recovery (AppAssure Logs)

Dell Quest Rapid Recovery (AppAssure Logs) - Rapid Recovery backup and restore appliance.

To enable, a new key called AppAssure needs to be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Dell Quest Rapid Recovery (Dell Logs)

Dell Quest Rapid Recovery (Dell Logs) - Rapid Recovery backup and restore appliance.

To enable, a new key called Dell needs to be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Dell Quest Rapid Recovery (Quest Logs)

Dell Quest Rapid Recovery (Quest Logs) - Rapid Recovery backup and restore appliance.

To enable, a new key called Quest needs to be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Denyhosts Gathers events from the Sourceforge Denyhosts script.
Directory Synchronization
Epic Electronic Health Records System.
FactoryTalk View A versatile HMI application that provides a dedicated and powerful solution for machine-level operator interface devices.
Flex Teller
Hitachi JP1 Job Management Partner 1 / Automatic Job Management System Collects Hitachi JP1 Job Management Partner 1 / Automatic Job Management System 3 messages.
Hitachi JP1 Job Management Partner 1/Base Collects Hitachi JP1 Job Management Partner 1/Base messages.
Honeyd Virtual Honeypot Gathers messages from the Honeyd daemon.
HuaweiNCE Collects events from Huawei NCE devices.
Hyland Workflow Timer Service

Hyland Workflow Timer Service Administration is administrative interface for managing core based workflow timers.

To enable, a new key by the name of Hyland must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-Hypervisor-Operational

To enable, a new key called Microsoft-Windows-Hyper-V-Hypervisor-Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-Integration-Admin

To enable, a new key called Microsoft-Windows-Hyper-V-Integration-Admin must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-SynthNic-Admin

To enable, a new key called Microsoft-Windows-Hyper-V-SynthNic-Admin must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-VMMS-Admin

To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Admin must be added to the following registry entry: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-VMMS-Networking logs

Hyper-V-VMMS-Networking windows event log coverage

To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Networking must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-VMMS-Operational

HyperV-VMMS-Operational.

To enable, a new key called Microsoft-Windows-Hyper-V-VMMS-Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

HyperV-Worker-Admin

To enable, a new key called Microsoft-Windows-Hyper-V-Worker-Admin must be added to the following registry entry: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

IBM RACF and DB2 Syslog Collects syslog events from devices running RACF and DB2.
IBM RACF messages Collects events from devices running RACF.
JBoss Logging (MM/dd/yyyy HH:mm:ss)

JBoss is a module for Java that performs website programming. This connector covers logs that have the following date/time format:

MM/dd/yyyy HH:mm:ss

JBoss Logging ISO8601 (yyyy-MM-dd HH:mm:ss)

JBoss is a module for Java that performs website programming. This connector covers logs that have the following date/time format:

ISO8601 yyyy-MM-dd HH:mm:ss

Linux YUM
Log4Net
Log4j Collects Events from Log4j Applications.
Luminis Access Web Servers (portals).
Luminis cp Web Servers (portals).
Made2Manage
ManageEngine Password Manager Pro Stores and manages sensitive information.
Meditech Collects application access, configuration and user monitoring events from devices running Meditech software.
Meditech EMR Access Log
Microsoft Lync

Microsoft Lync is an enterprise-ready unified communications platform.

To enable, a new key called Lync%20Server must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows AppLocker- EXE and DLL

To enable, a new key called Microsoft-Windows-AppLocker/EXEandDLL must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows AppLocker- MSI and Script

To enable, a new keycalled Microsoft-Windows-AppLocker/MSIandScript must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Failover Clustering (HyperV Cluster) logs

Microsoft Windows Failover Clustering (HyperV Cluster) log coverage

To enable, a new key called Microsoft-Windows-FailoverClustering/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

NetwrixAuditor Covers Netwrix Auditor Integration API logs in Microsoft Windows Event format.
OnBase enterprise information platform

OnBase enterprise content services platform managing content, processes, and cases.

To enable, a new key called OnBase%20Log must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Oracle Hyperion FM log Collects Windows Events from the Oracle Hyperion Financial Management Application.
Oracle Linux messages log Oracle Linux messages log.
Oracle WebLogic Server 12c

Oracle WebLogic Server 12c is a Java EE application server.

The logLocation is dependent on Server Name. It must be changed when creating a new connector.

PowerShell An automation platform and scripting language for Windows and Windows Server operating systems.
PowerShell 5.0

Extra logging for PowerShell 5.0.

To enable, a new key called Microsoft-Windows-PowerShell/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Print Services for Windows 7/2008(Admin)

Print Services help to share printers on a network and centralize print server and network printer management tasks.

To enable, a new key called Microsoft-Windows-PrintService/Admin must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Print Services for Windows 7/2008(Operational)

Print Services helps to share printers on a network and centralize print server and network printer management tasks.

To enable, a new key called Microsoft-Windows-PrintService/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

QCSI Application Log data
QCSI Data Logs
QCSI System Logs
Rohde and Schwarz CyberSecurity Covers Rohde and Schwarz Cyber Security logs. Supports RFC 5424 standard.
Salient Commercial Solutions Provides agile solutions and security for IBM, Insurance, and Mortgage domains.
Savant Protection Collects application-specific events from devices with Savant Protection installed on them.
Shibboleth IDP warn logs Shibboleth IDP warn logs.
Subnet POWER SYSTEM - AccessServer, ApplicationServer, DataServerSQL, ApplicationServerSharePoint
Syslog-ng A separate connector for syslog-ng internal events.
Toshiba devices Collects events from Toshiba printer and multifunction digital imaging systems.
Verint Provides software and hardware products for customer engagement management, security, surveillance, and business intelligence.
Wescom Resources Group's Host Gateway Windows Log
Windows Active Directory Federation Services

Windows ADFS logs to different locations.

To enable, logLocation should be changed to match Log Name in the Event Viewer. A new key with the name same as logLocation must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Windows Active Directory Federation Services, Auditing
Windows DHCP Server 2000/2003/2008 event Log(Admin)
Windows DHCP Server 2000/2003/2008 event Log(Operational)

To enable, a new key called Microsoft-Windows-Dhcp-Server/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Windows Secure Envoy Log Windows Secure Envoy log - authentication
Windows Setup Log

To enable, a new key called Setup must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

db2diag local file non-syslog db2diag local file non-syslog
vCenter vpxd 6.0 logs A piece of software, for software, hardware and applications for visualization Platform.
Application Switch <return to top>
Cisco Content Services Switch Collects events from Cisco Content Services Switches.
Citrix Secure Access Gateway Enterprise Appliance / Netscaler Collects events about application access, configuration, and user monitoring from Netscalers.
ConSentry Controller Collects events from ConSentry switches.
Coyote Point Equalizer Collects events from the Coyote Point Equalizer server load balancing appliance.
F5 BigIP BSD daemon messages Collects events about services running on F5 appliances.
F5 BigIP HTTPD specific Collects web traffic events (primarily HTTP errors and warnings) from F5 appliances.
F5 BigIP messages Collects authentication and service-related events on the F5 appliances.
F5 General BIG-IP specific messages Collects events specific to local traffic manager(LTM) and Application Security Manager(ASM) on the F5 appliances.
FireProof Collects events from FireProof application switches.
LinkProof Collects device information and connection events from LinkProof switches.
Nortel Alteon Collects events from Nortel Alteon application switches.
Radware AppDirector
Data Loss Prevention <return to top>
Bit9 Parity v5+ Syslog Collects events generated by the Bit9 Parity application control suite.
CodeGreen Content Inspection Collects content-related events generated from devices where Code Green is deployed. Should also enable the Code Green Content Inspection User connector.
CodeGreen Content Inspection user Collects events about creating and deleting users, connecting to LDAP, and settings changes from devices where Code Green is deployed. Should also enable the Code Green Content Inspection connector.
DeviceLock Audit
DeviceLock Events
EMC RecoverPoint Collects authentication and device management events from RecoverPoint and RecoverPointSE appliances.
FileSure
Forcepoint TRITON AP-DATA Collects events from Forcepoint/Websense TRITON AP-DATA and Forcepoint DLP.
Microsoft Backup Operational logs

To enable, a new key called Microsoft-Windows-Backup/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Data Protection Backup manager

To enable, a new key called DPM Backup Events must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Data Protection Manager

To enable, a new key called DPM Alertsmust be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

NuBridges Protect Key Manager

Collects events from NuBridges Protect Key Manager software.

Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.

NuBridges Protect Resource Service

Collects events from NuBridges Protect Key Manager software.

Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.

NuBridges Protect Token Manager Engine

Collects events from NuBridges Protect Key Manager software.

Should be used in conjuction with NuBridges Protect Resource Service and NuBridges Protect Token Manager Engine.

SecureSphere Collects events from Imperva SecureSphere Database, Web, and File security products.
SecureSphere Database Gateway 6.0 Collects events from Imperva SecureSphere Database Gateways using firmware version 6.0+.
SecureSphere System and Firewall Events 6.0 Collects events from Imperva Firewalls using firmware version 6.0+.
SecureSphere Web Application Firewall 6.0 Collects events from Imperva SecureSphere Web Application Firewall 6.0 using firmware version 6.0+.
SecureSphere v10 Collects events from Imperva SecureSphere v10.
Veeam backup and availability Veeam Backup provides backup and recovery of virtualized applications and data.
Veeam endpoint backup and availability Veeam endpoint Backup provides backup and recovery of virtualized applications and data.
Vericept Monitor Collects communication events from devices running Vericept Monitor software.
Websense Data Security Collects device/software events from Websense gateways.
Database <return to top>
Collects events from Postgres Database log file Collects events from the Postgres Database log file.
IBM DB2 messages Collects events from DB2.
LOGbinder SQL Connects the SQL Server audit log to SIEM.
LOGbinder SQL Security Connects the SQL Server audit log to SIEM.
MS SQL Audit Events

Collects Microsoft SQL Server Audit events written into Windows Application/Security Log.

For more information about SQL Auditing, see SQL Server Audit (Database Engine) on Microsoft SQL doumentation.

MSSQL Application Log
MySQL Database log Monitors MySQL uptime, connections, and Error logs.
MySQL database tools on Windows err log MySQL provides a suite of tools for developing and managing business critical applications on Windows. This one covers the err log. You will need to choose the correct .err file
OpenEdge Audit
Oracle Alert Log Oracle Alert gives an immediate view of the critical activity in a database.
Oracle Auditor - Buffer - Extended version Collects Oracle Audit events via log, including the table actions SELECT, INSERT, UPDATE, and DELETE.
Oracle Auditor - Database
Oracle Auditor - Database - Extended Collects events from Oracle Database, including Select, Insert, Update, and Delete.
Oracle Auditor - Syslog Collects Oracle Audit events via Syslog.
Oracle Auditor - Syslog - Extended version Collects Oracle Audit events via Syslog, including the table actions SELECT, INSERT, UPDATE, and DELETE.
Oracle Auditor - Windows
Oracle Auditor - Windows - Extended version Collects Oracle Audit events through WindowsLog, including the table actions SELECT, BEGIN, INSERT, UPDATE, and DELETE.
Oracle Unified Auditing system. Oracle Unified Auditing system starts with version 12c and must be set manually.
SolarWinds Log and Event Manager MSSQL Auditor

MSSQL Auditor supports only SQL Server versions up to 2016.

SolarWinds recommends using the 'MS SQL Audit Events' connector since it supports the newest MS SQL Server versions.

E-Mail <return to top>
IBM Domino (AIX) IBM Domino (Lotus) for AIX.
LOGbinder for Exchange
Lotus Notes Webmail
Lotus Notes and Domino Server 8
Microsoft Exchange Application Log
Microsoft Exchange Event Log
Microsoft Exchange Management Log Microsoft Exchange Management Log
Microsoft Exchange Message Tracking Tracks all mail and message activity on the Microsoft Exchange server.
File Transfer and Sharing <return to top>
Accellion Secure File Transfer using https and SFTP Accellion is an content collaboration platform that enables to seamlessly access content, and centralized access to multiple on-premises and cloud-based content systems.
Axway Secure Client Collects events from the Axway Secure Client.
Cerberus FTP Server
CrushFTP CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users.
DFS Replication Gathers Distributed File System Replication events from the DFS Replication Windows Event Log.
EFT Server Enterprise Windows Application Log
FileZilla
GENE6 Secure FTP Server Security Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over the Internet.
GENE6 Secure FTP Server Transfer Gene6 FTP Server is a professional Windows FTP Server used to transfer important files over the Internet.
Globalscape EFT client
Globalscape Secure FTP (W3C Extended file format)
GoAnywhere Services A secure FTP server (and optional web server) that allows trading partners and employees to connect to your system and exchange files in a secure environment.
HP StorageWorks Modular Smart Array SNMP HP StorageWorks Modular Smart Array SNMP.
LOGbinder for Sharepoint: LOGbinder SP log
LOGbinder for Sharepoint: LOGbndSP log
LOGbinder for Sharepoint: Security Log
MOVEit Log
MOVEit Windows Application Log
Microsoft IIS FTP Server 5+ (W3C Extended file format)
Microsoft IIS FTP Server 7.0 (W3C Extended file format)
Microsoft Offline Files Operational

Microsoft Offline Files logs issues with Sync centre/offline file sync.

To enable, a new key called Microsoft-Windows-OfflineFiles%4Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

OpenBSD FTPd Collects FTP-related events from devices running OpenBSD FTPd.
Panzura Distributed File Services The Panzura Global File System transforms cloud storage, public or private, into a high-performance, globally distributed file system.
ProFTPD Access
ProFTPD Auth
Pure Storage Purity Pure Storage Purity software-defined storage and flash management purpose-built to power Pure’s shared accelerated storage.
Pure-FTPd
QNAP NAS/File Server
Samba Collects file and print sharing related events from devices running Samba.
Serv-U FTP Server
Serv-U FTP Server (Never Rotate)
SmartFile Secure File Sharing and Transfer Solutions SmartFile Secure File Sharing and Transfer Solutions.
Solarwinds SFTP/SCP Server Solarwinds SFTP/SCP Server is a free SFTP server for reliable and secure network file transfers.
Varonis DatAdvantage File Monitoring Varonis DatAdvantage monitors Network File Shares Directory services for suspicious behavior. You can monitor file activity and user behavior, prevent data breaches, and make permissions management and auditing.
WS_FTP Server Corporate Collects FTP traffic analysis events, by user, source, destination, configuration, and authentication, from devices running WS_FTP.
secRMM Security Removable Media Manager.
vsftpd xferlog
Firewalls <return to top>
A10 Load Balancer and Web Application Firewall Gathers events from A10 Load Balancer and A10 Web Application Firewall devices.
AppWall AppWall - Web Application Firewall (WAF).
Applicure dotDefender Applicure dotDefender web application firewall.
Barracuda NG Firewall (Phion Netfence)
Barracuda NG Firewall (Phion Netfence) Extended
Barracuda Web Application Firewall

Collects events from Barracuda Web Application Firewall devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWeb connectors.

System, Web Firewall, Access, Audit and Network Firewall logs have a new connector (BarracudaADC),. Please try if it does work for your case,. If not, use this connector.

Borderware Firewall Collects events from Borderware (now Watchguard XCS) appliances.
Check Point Firewalls 5000 series Gathers logs from Check Point Firewalls 5000 series.
CheckPoint 600 Appliances (optional) daemon.log

Collects events from CheckPoint 600 Appliances.

May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log.

CheckPoint 600 Appliances (optional) user.log

Collects events from CheckPoint 600 Appliances.

May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log.

CheckPoint 600 Appliances (required) auth.log

Collects events from CheckPoint 600 Appliances.

May possibly work for 700 Appliances, but SolarWinds could use some verification. It sends to auth.log, user.log and daemon.log.

CheckPoint2200 CheckPoint2200 - A security gateway providing an all-in-one security solution.
CheckPoint2200Kern CheckPoint2200 kern log - A security gateway providing an all-in-one security solution.
CheckPointR80 Gathers logs from Check Point R80.20.
Checkpoint Edge X Firewall Collects events from CheckPoint appliances that are running EdgeX firmware.
Checkpoint Safe@Office Firewall Collects events from CheckPoint appliances that are running the safe@office firmware.
Cisco ASA and IOS Collects events from Cisco ASA, PIX, FWSM, and ACE firewalls, as well as IOS based routers/switches.
Cisco Firesight Cisco FireSIGHT Management Center: Centralized Policy, Event, and Device Management.
Cisco SA500 Series Security Appliances Collects events from the 540 series of Cisco SA500 Security Appliances.
Clavister firewall Clavister E80 and W20 Devices are next generation firewall.
Cyberguard
D-Link DFL firewall Collects events from D-Link DFL Firewalls.
EndianUTM Endian Unified Threat Management (UTM) is a set of security features integrated into an all-in-one solution.
Firewall Blockbit Collects logs from Blockbit Firewall.
FortiClient Provides automated endpoint threat prevention.
FortiGate 5.0+ Collects events from Fortigate UTM appliances that use firmware version 5.0 and later.
GNAT Box System Software v.3.3 Collects events from the GNAT Box UTM software firewalls OR hardware running GNAT Box v3.3 or higher.
HP Firewall Collects events from the HP Firewall Appliance.
Hirschmann EAGLE System Industrial Firewall Collects events specific to Hirschmann EAGLE System Industrial Firewall/VPN-router appliances.
IBM DataPower An XML Gateway appliance that supports security/Web services and Enterprise Service Bus aspects.
IP Filter Collects events from devices running IPFilter firewall software.
IPFire OpenSource Firewall Distribution A hardened Linux appliance distribution designed for use as a firewall.
Incapsula Web Application Firewall via syslog Incapsula Web Application Firewall through syslog.
Ingate Firewall Collects events for the Ingate Firewall 1190.
Juniper Virtual Gateway Collects events from Juniper virtual gateway devices.
Juniper/NetScreen 5 Collects events from Juniper firewalls running ScreenOS version 5.0 or later.
Kerio Control Firewall Network firewall, router and leading-edge IPS.
McAfee Firewall v5.8 CEF Collects events from McAfee Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.8 or later.
McAfee ForcePoint Firewall Collects events from Forcepoint Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware.
Microsoft Forefront Threat Management Gateway 2010 Firewall (W3C Server file format) Collects Microsoft Forefront Threat Management Gateway log messages from files in the W3C format.
Microsoft ISA 2000 Firewall (ISA Server file format)
Microsoft ISA 2004 Web Proxy (ISA Server file format)
Microsoft ISA 2004 Web Proxy (W3C Server file format)
Microsoft ISA 2004/2006 Firewall (ISA Server file format)
Microsoft ISA 2004/2006 Firewall (W3C Server file format)
Microsoft ISA 2006 Web Proxy (ISA Server file format)
Microsoft ISA 2006 Web Proxy (W3C Server file format)
Microsoft ISA Firewall (W3C Extended file format)
Microsoft ISA Packet Filter (ISA Server file format)
Microsoft ISA Packet Filter (W3C Extended file format)
Microsoft ISA Server Application Log
Microsoft ISA Web Proxy (ISA Server file format)
Microsoft ISA Web Proxy (W3C Extended file format)
Microsoft Windows Firewall Advanced Security Events

Microsoft Windows Firewall with Advanced Security/Firewall events.

To enable, a new key called Microsoft-Windows-Windows Firewall With Advanced Security/Firewall must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Netgear FV Series Collects events from Netgear FV series firewall appliances.
Netscreen(Juniper SRX firewall) Collects events from Juniper Netscreen firewall appliances running firmware version 4.x.
Network Box RM300 and ITPE1000 Collects events from Network Box firewall devices.
OPSEC(TM) / Check Point(TM) NG LEA Client
OPSWAT Metadefender OPSWAT Metadefender - Data sanitization (CDR), vulnerability assessment, multiple anti-malware engines, and customized security policies.
OSSEC Active Response log Add and Delete events from OSSEC active response log.
Palo Alto Networks Firewalls

Collects events from Palo Alto firewalls running PanOS.

To enable this connector, set Log Format as BSD. Also, set all fields in Custom Log Format to Default.

See this KB article to set up logging.

Sidewinder 6.1+ Firewall Collects events form the McAfee Sidewinder Firewall (Versions 6.1+).
Sidewinder Firewall Collects events form the McAfee Sidewinder Firewall (Versions pre 6.1).
SonicWall Collects events from Dell SonicWall Firewall devices.
SonicWall GMS
Sophos (Astaro) Security Gateway Collects events from the following Sophos (Astaro) Security Gateways: 110, 120, 220, 320, 425, 525, 625.
SophosXG Firewall SophosXG Firewall
StoneGate Firewall v5.3 CEF Collects events from StoneGate Firewall/VPN appliances and Virtual Firewall/VPNs running software/firmware version 5.3 or later.
Storm Shield Netasq Firewall Storm Shield Netasq Firewall
Symantec Velociraptor 1.5 Collects events from the Symantec Velociraptor Firewall version 1.5.
Symantec Velociraptor 2.0 Collects events from the Symantec Velociraptor Firewall version 2.0.
Symantec Velociraptor 3.0 Collects events from the Symantec Velociraptor Firewall version 3.0+.
Tippingpoint X505 Collects Firewall, VPN, and Web events from the Tippingpoint X-series.
Titanium Mirror Firewall Collects events for Titanium Mirror firewalls (TM0100, TM0300, TM0310, and TM1100).
Tofino Firewall LSM for Industrial Networks Collects events specific to Industrial Network and takes control of network traffic.
Trend Deep Security Collects events from devices running Trend Deep Security software.
Trend Deep Security LEEF logs format Collects events from devices running Trend Deep Security software.
Untangle NG Firewall Untangle NG Firewall provides network management software.
VMWare vShield Edge Firewall Gathers events from VMWare's vShield Edge Firewall.
VisNetic Firewall
WatchGuard firewalls Collects events from Watchguard firewalls.
Windows Firewall
ZyXEL ZyWALL CEF Format Gathers events from ZyXEL ZyWALL CEF Format.
eSoft Collects events from the following InstaGate devices: Firewall models 404, 404e, 604, 806, and ThreatWall models 250, 450, and 650.
iptables / netfilter Collects events from devices running iptables or netfilter.
pfSense Firewall/Router pfSense is an open source firewall/router computer software distribution based on FreeBSD.
IAM <return to top>
BioPassword
Cisco (NAC) Network Access Control Appliance with Clean Access Manager (CAM) or Server (CAS) Software Collects events from Cisco NAC (clean access) appliances.
Cisco ACS Admin Audit
Cisco ACS Admin Audit 4.1+
Cisco ACS Backup and Restore
Cisco ACS Database Replication
Cisco ACS Database Sync
Cisco ACS Express
Cisco ACS Failed Attempts
Cisco ACS Passed Authentications
Cisco ACS RADIUS Accounting
Cisco ACS Service Monitoring
Cisco ACS TACACS+ Accounting
Cisco ACS TACACS+ Administration
Cisco ACS User Password Changes
Cisco ACS VoIP
Cisco Customer Voice Portal Application Activity Date Rotating Log Activity taken by callers when they visit an application.
Cisco Customer Voice Portal Application Activity Log Activity taken by callers when they visit an application.
Cisco Customer Voice Portal Application Admin Date Rotating Log Shows admin events for the app.
Cisco Customer Voice Portal Application Admin Log Shows admin events for the app.
Cisco Customer Voice Portal Application Error Date Rotating Log Shows system-error events for the app. Some events result in the failure of the call.
Cisco Customer Voice Portal Application Error Log Shows system-error events for the app. Some events result in the failure of the call.
Cisco Customer Voice Portal Global Admin Date Rotating Log Logs admin events that affect the server as a whole.
Cisco Customer Voice Portal Global Admin Log Logs admin events that affect the server as a whole.
Cisco Customer Voice Portal Global Error Date Rotating Log Logs errors that are outside the scope of one app.
Cisco Customer Voice Portal Global Error Log Logs errors that are outside the scope of one app.
Cisco Customer Voice Portal Global call Date Rotating Log Logs one row for each session (visit to one app by one call).
Cisco Customer Voice Portal Global call Log Logs one row for each session (visit to one app by one call).
Cisco Customer Voice Portal Server Startup Error Date Rotating Log Shows Global log.
Cisco Customer Voice Portal Server Startup Error Log Shows Global log.
Cisco Identity Services Engine (ISE) Automates and enforces context-aware security access to network resources.
Cisco Secure ACS 4.1 Syslog Collects events from Cisco ACS (versions 4.1 up to 5).
Cisco Secure ACS 5+ Syslog Collects events from Cisco ACS (versions 5 and up).
ClearBox Enterprise RADIUS server Collects authentication packet events from ClearBox Enterprise RADIUS Server 5.7.
Cyber-Ark Vault Collects events from the Cyber-Ark Vault Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite.
Dell Defender Manages 2 factor and multi-factor authentication for identity storage and management.
DigitalPersona Pro
Entrust Identity Guard (IDG) Entrust Identity Guard (IDG) Identity-based security software.
Extreme Sentriant Collects identity and access management events from Sentriant appliances.
FreeRADIUS
FutureX Excrypt Gathers events from the FutureX Excrypt SSP9000 hardware security module.
IAS RADIUS Non-Rotating File
IAS RADIUS Rotating File
IBM Tivoli Access Manager for Operating Systems Gathers events from IBM Tivoli Access Manager for Operating Systems.
Imprivata Appliance Manages single-sign-on behavior, multi-factor authentication, and related authentication behavior for applications.
Juniper SBR authentication accepts report log
Juniper SBR authentication accepts report log
Juniper SBR authentication rejects report log
Juniper SBR authentication rejects report log
KEMP Kern Log KEMP load balancer kernel log.
ManageEngine Password Manager Pro SNMP
Microsoft Azure AD Password Protection DC Agent Admin

To enable, a new key called Microsoft-AzureADPasswordProtection-DCAgent/Admin must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Azure AD Password Protection DC Agent Admin allows custom banned password lists and prevents users from setting passwords to known compromised passwords or passwords defined in the custom banned list.

Microsoft RRAS
Microsoft RRAS Extended NPS Log Format
Microsoft Windows Group Policy Operational

To enable, a new key called Microsoft-Windows-GroupPolicy/Operational must be added to the following registry entry: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Group Policy Operational provides centralized management and configuration of operating systems, applications and users settings in an Active Directory environment.

Microsoft Windows Terminal Services Gateway

To enable, a new key called Microsoft-Windows-TerminalServices-Gateway/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Terminal Services Gateway Admin

To enable, a new key called Microsoft-Windows-TerminalServices-Gateway/Admin must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Terminal Services Remote Connection Manager

To enable, a new key called Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Net Access
NetIQ Directory and Resource Administrator
Novell Identity Audit DB
OneSpan Collects events from OneSpan Authentication Server
Pleasant Password Server Pleasant Password Server is a multi-user password management tool.
PointSec PC
RSA Authentication Manager 7.1 Collects authentication events from the RSA Authentication Manager 7.1 or higher.
SafeNet Authentication Service (SAS) Windows Events

Collects SafeNet Authentication Service (SAS) Windows Events.

SafeNet Authentication Service is an on-premises authentication solution.

SafeNet SafeWord
Safenet Authentication service SafeNet's Authentication Service is a multifactor authentication (MFA) software product that adds supplementary security measures to standard user name/password logins for a variety of servers and services.
SanDisk CMC
SecurID
SecurID Syslog Collects syslog events from RSA RSA ACE servers.
SecureAuth idP Provides infrastructure for multi-factor authentication and single sign on.
Shibboleth Identity Provider Shibboleth SAML/CAS Identity management system, audit logging.
SolarWinds Access Rights Manager Gathers messages from SolarWinds Access Rights Manager.
Thycotic Secret Server
TriCipher Collects events from devices running the TriCipher software.
Two-Factor Authentication For Active Directory

To enable, a new key called AuthLite Security must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Vormetric Collects file access related events, administrative activity, service activity (problems with agents, etc) from devices running Vormetric software or appliances.
Windows IAS and NPS System Log Collects messages from Windows Internet Authentication Service (IAS) and Windows Network Policy Server (NPS) through the Windows System log.
Windows server netlogon debug log Netlogon is a Windows Server process that authenticates users and other services within a domain.
eDMZ Password Auto Repository Collects events from eDMZ appliances (also called Quest Privileged Password Manager).
entrust Provides identity-based security solutions for secure governments, enterprises. and financial institutions.
IDS and IPS <return to top>
ActiveScout Gathers events from ForeScout's ActiveScout (CounterAct Edge) Intrusion Prevention System (IPS) device.
Cisco FirePOWER Module (Sourcefire 3D system) Cisco FirePOWER Module (Sourcefire 3D Network Defence System).
Cisco IDS/IPS v4/5.x
Cisco IPS 5+ (SDEE)
Core Network Insight Core Network Insight (formerly Damballa Failsafe) is an advanced threat detection system.
Darktrace - threat detection and classification Darktrace is threat detection and classification solution.
Dragon IDS Collects events from Enterasys Dragon IDS/IPS appliances.
FortiSnort
GFI LANguard System Integrity Monitor 3
IBM IPS XGS Collects events from IBM Security Network Protection XGS solutions.
IBM XGS IBM XGS Intrusion Prevention System.
ISS Proventia IPS
ISS RealSecure IDS
Juniper IDP 250 v5.0 Collects events from Juniper IDP 250 appliances running firmware version 5.0+.
Juniper IDP 3.x Collects events from Juniper IDP appliances running firmware version 3.x.
Juniper IDP 4.0+ Collects events from Juniper IDP appliances running firmware version 4.0+.
McAfee Network Security Manager Collects events from McAfee IPS devices.
Microsoft ATA (Advanced Threat Analytics) Microsoft ATA (Advanced Threat Analytics) - Microsoft Cloud based SIEM.
NitroGuard IPS - Snort Format Collects Snort-format events from Nitroguard IPS appliances.
NitroSecurity IPS Collects Nitro-format events from Nitroguard IPS appliances.
Osiris Host Integrity Monitoring System
Radware DefensePro A real-time, behavioral based attack mitigation device.
Reflex IMC Collects Intrusion events from the Reflex Security IPS.
Secure Auth (Syslog) Secure Auth collects audit events from SecureAuth IdP Appliance in syslog format.
SecureAuth Error logs Collects error and warning events from SecureAuth IDP appliances.
SecureAuth Logging Audit logs Collects audit events from SecureAuth IDP appliances.
SecureAuth Logging Audit logs_Rotating Collects audit events from SecureAuth IDP appliances.
SecureNet IDS
Sentinel IPS Collects events from Sentinel Intrusion Protection System.
Snort
Sophos Central Cloud Sophos Central Cloud Endpoint Protection.
Symantec Gateway IDS Collects events from the Symantec Gateway IDS.
SyslogSnort
TippingPoint Audit and System Collects audit and system events from Tippingpoint devices.
Tippingpoint IPS 1.4 Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
Tippingpoint IPS 2.1 Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
Tippingpoint SMS Collects IPS events from Tipingpoint SMS, as well as IPS versions 1.4 and 2.1+.
TopLayer Attack Mitigator Collects DOS/DDOS events from TopLayer IPS 5500 EC-Series and TopLayer IPS 5500 ES-Series appliances.
Trend Micro Deep Discovery Inspector Detects targeted attacks and targeted ransomware.
Trend Micro HIDS - ossec syslog Trend Micro HIDS - Integrate OSSEC alerts of suspicious activities via syslog
Trend Micro Interscan Gateway Security Appliance Collects events from Trend Micros Interscan Gateway Security appliances.
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) - Email Gateway Collects logs from email messages, network traffic, and system events.
Tripwire Enterprise Collects host and file integrity monitoring events from devices running Tripwire software.
Manager <return to top>
Debian DPKG Debian DPKG package manager log.
Manager Monitor
Micro Focus Content Manager (DB Rotating)

Normalizes rotating DB log data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager).

Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents.

Micro Focus Content Manager (TALF)

Normalizes TALF data from Micro Focus Content Manager (Formerly HPE Content Manager / TRIM / Records Manager).

Micro Focus Content Manager is a certified integrated records and document management toolset that attaches retention, access control, other bureau-specified rules and attributes to electronic documents.

MicrosoftWindowsRemoteManagement-Operational

Windows Remote Management (WinRM) is protocol that allows hardware and OS from different vendors to interoperate.

To enable, a new key called Microsoft-Windows-WinRM%4Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

SWLEM Reports Collects reports events from Solarwinds Log and Event Manager.
nDepth Log Storage Message
Network Access Control <return to top>
Aruba ClearPass Policy Manager The ClearPass Policy Manager simplifies network access security by optimizing policies and AAA for mobile enterprises.
Cisco Prime Security Manager Centralized tool to manage Cisco ASA 5500-X Series Next-Generation Firewalls.
Network Management <return to top>
Airwatch Airwatch Mobile Device Management.
Arbor Pravail APS 2104 Used for DDOS attack detection and mitigation.
Aruba Airwave Management Platform

Detects and remediates rogues, attacks, and identifies their location.

Aruba Airwave Management Platform manages and monitors wireless environments, controllers.

Axcient Unified Management Console (UMC)
Barracuda Load Balancer ADC Collects Load Balancer ADC events. Also collects System, Web Firewall, Access, Audit and Network Firewall Logs.
Barracuda Web Security Gateway A spyware, malware, and virus protection for web security.
Blue Coat PacketShaper Helps enterprises control bandwidth cost, deliver a superior user experience, and align network resources with business priorities.
Carbon Black Enterprise Response Carbon Black Enterprise Response - Real-time EDR and incident response.
Cimcor CimTrak Cimcor CimTrak WTLogs.
Cisco Wireless Acccess Point Collects events for Cisco Wireless Access Point.
Cisco Wireless Control System Collects events for Cisco Wireless Control System.
Cisco Wireless LAN Controller snmp trap logs Wireless Access Point for Businesses.
Citrix XenMobile, Mobile management MDM, system and audit sys log. Citrix XenMobile, Mobile management MDM, system and audit sys log.
DNA OASyS

This connector covers logs from multiple files: archive.log, cleanup.log, cmxrepsvr.log, collectLog.log, DPdirect_*.log, oasErrLog.log.

DNA OASyS 7.5 by Schneider. This is a SCADA Control System.

DNA OASyS xosErrLog

This connector covers xosErrLog.log logs.

DNA OASyS 7.5 by Schneider. This is a SCADA Control System.

Dameware Remote Administration
Fujitsu iRMC Fujitsu integrated Remote Management Controller.
Gemalto High Availability (HA) Log Messages Gemalto Network HSM HA-related events including HA errors, add-member and delete-member events.
HPE Intelligent Management Center (IMC) HPE Intelligent Management Center (IMC), Network Management.
Juniper NSM Collects events aggregated from Juniper devices.
Lancope StealthWatch Collects network events from StealthWatch appliances.
Lantronix SLC 8000 Collects events from Lantronix SLC devices.
MS Forefront Endpoint Protection MS Forefront SCCM discovers servers, desktops, tablets etc connected to a network through Active Directory to ensure security of data stored on those devices.
Microsoft Exchange High Availability Logs

To enable, a new key called Microsoft-Exchange-HighAvailability/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

MicrosoftNetworkProfileOperational

Network profiles define the attributes for the connection operation to a basic service network

To enable, a new key called Microsoft-Windows-NetworkProfile/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

NGINX Plus web delivery platform error logs NGINX adds enterprise-ready features for HTTP, TCP, and UDP load balancing, such as session persistence, health checks, advanced monitoring, and management. This gives you the freedom to innovate without being constrained by infrastructure
Nagios
Radius server bundled with Windows Server 2008 and later Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization.
SecureLink Device Gateway Vendor 2FA authentication Remote Access appliance.
SolarWinds Orion and Virtualization Manager
SolarWinds Platform events auditing Collects auditing events from the SolarWinds Platform.
Survalent ADMS Software automation solution Survalent ADMS is a software automation solution that provides real-time supervisory control and data acquisition for utilities.
Titus Enterprise Information Protection Protects enterprise information.
Ubiquiti Wireless Acccess Point Collects events for the Ubiquiti Wireless Access Point.
ePolicy Orchestrator (ePO)
ePolicy Orchestrator (ePO) 4.5+
vCenter Server is the centralized management utility for VMware. vCenter Server is the centralized management utility for VMware.
Network Services <return to top>
Array APV 1600 Array APV 1600: Application delivery controller - SSL/TLS accelerator.
AudioCodes Mediant SBC Collects logs from AudioCodes Mediant Session Border Controllers (SBC).
Avaya SBC Gathers logs from Avaya SBC.
Barracuda Admin Collects admin events, such as changes and updates, from all Barracuda devices. Recommend using this connector along with the BarracudaWebAppFW and BarracudaWeb connectors.
Barracuda Mail Archiver Cloud-Connected Message Archiving for Efficiency and eDiscovery.
Barracuda Spam Firewall Barracuda Spam and Virus Firewall manages all inbound and outbound email traffic.
Bind Collects application-specific events generated in the application log. Used for firewalls and routers were Bind is deployed. Covers logs from Infoblox together with connector linuxdhcpd.xml.
CA's BrightStor v11.5
Calix Telecommunications Calix is a supplier of telecommunications access equipment for service providers.
Cisco Network Registrar for Windows
Cisco Unified Communications Manager (CallManager) Provides services such as session management, voice, video, messaging, mobility, and web conferencing.
Dell PowerProtect DD Collects events from the Dell EMC PowerProtect DD.
DHCPd Collects DHCP daemon lease grant, renewal, and location events from dhcp enabled devices. Covers logs from Infoblox together with connector bind.xml.
DNS Bind Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed.
Distil Networks Distil Networks provides bot detection and mitigation.
Eaton Cooper Power Systems Power system operators with a complete suite of software applications to remotely manage all installed intelligent IEDs
Gemalto Luna Gemalto Luna.
HuaweiNCE Collects events from Huawei Network Connection Endpoint (NCE) devices.
IIS Configuration

To enable, a new key called Microsoft-Windows-IIS-Configuration-Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

IceWarp Mail Server (Merak) IceWarp Mail Server (Merak) is a mail server.
Infoblox NIOS This connector is a combination of connector bind.xml and linuxdhcpd.xml. There is nothing specific to Infoblox.
KEMP User Log KEMP load balancer user authentication log.
Kemp LoadMaster Kemp LoadMaster (CEF format).
Kerio Connect Collects events from Kerio Connect mail server.
Linux Sendmail Collects mail-related events from devices running Sendmail software.
LinuxLDAP Access Gathers access messages from the LinuxLDAP server.
LinuxLDAP Error Gathers error messages from the LinuxLDAP server.
Load Balancer Collects Load Balancer administration logs and Apache logs.
Locum RealTime Monitor Collects events from Locum RealTime Monitor.
Microsoft Cloud App Security

Collects events from Microsoft Cloud App Security (CASB) SIEM agent through syslog.

See this KB article for more information.

Microsoft Exchange Server in W3C format without Fields value Microsoft Exchange Server in W3C format without Fields value.
Microsoft Windows WAS, Microsoft Sharepoint Services, vmStatsProvider, Manager Reporter 2012 services Logs
NetIQ eDirectory Collects Authentication/Creation/Deletion events from the Novell NetIQ eDirectory services.
Netskope CASB

Netskope Security Cloud CASB (Cloud Access Security Broker) is a cloud-based software solution that is installed between cloud service users and cloud applications. The software monitors all activity and enforces security policies.

This connector covers syslog logs in CEF format.

Nimble SAN Collects events from Nimble SAN.
Nozomi Guardian Collects events from the Nozomi Guardian.
Nutanix Covers logs from all Nutanix products.
OpenLDAP Collects LDAP-related events from devices running OpenLDAP.
Oracle Communications Subscriber-Aware Load Balancer and Session Border Controller (SBC) parts of Oracle ACME

Oracle Communications Subscriber-Aware Load Balancer (SLB) enables scaling of capacity from SIP or IP address.

Oracle Communications Session Border Controller for fixed line, mobile and over-the-top services

Oracle SD-WAN Gathers logs from Oracle SD-WAN.
Postfix Collects events from Postfix Mail Server.
Quest VMWare vRanger Detects errors and information from Quest Software's vRanger Pro and Standard Edition.
Redline Covers logs from Redline devices including RDL-3000.
Riverbed/Brocade Stingray It's a traffic manager/load balancer. It logs to syslog traffic rule violation, system amendments and so on.
SafeNet DataSecure Certificate Server Collects events from the SafeNet DataSecure i450 appliance.
Semafone
SolarWinds Web Help Desk IT Services and Asset management software.
Symantec Backup Exec System Recovery
Symmetricom SyncServer Collects events from Symmetricon SyncServer series (including S100, S200, S250, S300, S350, and S350 SAASM) devices.
Synology cloud software Synology creates network-attached storage (NAS), IP surveillance solutions, and network equipment.
TACACS+ server based on Cisco engineering release

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco. Although derived from TACACS,

TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services.

VMware NSX Collects events from VMware NSX.
WatchGuard Extensible Content Security (XCS) auth log

Collects authorization events from WatchGuard devices.

Requires the configuration of OpenSSH and PAM to watch the same logfile and capture everything.

WatchGuard Extensible Content Security (XCS) syslog Collects syslog events from WatchGuard devices.
Windows DHCP Server 2000
Windows DHCP Server 2000/2003/2008 System Log
Windows DHCP Server 2003 and 2008
Windows DNS-Server-Analytical

Analytical log from Windows DNS Servers.

To enable, a new key called Microsoft-Windows-DNSServer-Analytical must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Windows Server 2008 Log
named bind Collects application-specific events generated in application log. Used for firewalls and routers were Bind is deployed.
smnpd daemon messages Collects events from various applications running the snmp daemon.
Operating Systems <return to top>
AIX Audit
AIX Syslog Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running the IBM AIX operating system.
Debian 8.8 kern logs Debian 8.8 kern logs
Debian v8.8 Debian v8.8 logs
FireEye Operating System Collects events from FireEye Operating System.
FreeBSD Authentication

Collects authentication events from devices running FreeBSD.

This also requires the configuration of OpenSSH and PAM to watch the same logfile to capture everything

HP OpenVMS 8+ Collects OS events for devices running OpenVMS 8 or later.
HP-ux Syslog Collects OS access, configuration, user monitoring, and VM monitoring events from devices running HP-UX.
Legacy TriGeo Agent AS400 Tool Collects auditing events from IBM AS400 appliances running Trigeo AS400 software.
Linux Auditd Linux Auditd (non-syslog).
Linux PAM Collects authentication events from devices running PAM software.
Linux PAM command Collects authentication events from devices running PAM software.
Linux command line logging
Linux syslog events Gathers syslog events on OS access, configuration, user monitoring, and VM monitoring from devices running RedHat and other Linux distributions.
LogAgent for OS400 (Patrick Townsend Security Solutions) Collects OS auditing information from IBM OS400 appliances (now called System I).
Mac OS X (crashreporter)
Mac OS X (install) Collects software installation events from devices running Mac OSX.
Mac OS X (mail) Collects mail traffic events from devices running Mac OSX.
Mac OS X (ppp)
Mac OS X (secure) Collects authentication, account, and group information events from devices running Mac OSX.
Mac OS X (system) Collects system-level events from devices running Mac OSX.
Microsoft Cluster Services events

To enable, a new key called Microsoft-Windows-FailoverClustering/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Sysmon

Microsoft Sysmon product is used to log and monitor processes.

To enable, a new key called Microsoft-Windows-Sysmon/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example used for a different connector.

Microsoft Windows NTLM

To enable, a new key called Microsoft-Windows-NTLM/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Task Scheduler

Microsoft Windows Task Scheduler for Vista/7/2008 and beyond.

To enable, a new key called Microsoft-Windows-TaskScheduler/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Microsoft Windows Terminal Services Local Session Manager

The Microsoft-Windows-TerminalServices-LocalSessionManager component is responsible for starting the computer and implementing Windows Fast User Switching (FUS).

To enable, a new key called Microsoft-Windows-TerminalServices-LocalSessionManager/Operational must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

MobileIron Assemble Mobile Data Security and Device Management for Enterprises.
MobileIron VSP Mobile Data Security and Device Management for Enterprises.
Novell Netware 4.1 - 5.3
Novell Netware 6.5
Novell Netware 6.5 (Database)
Novell Netware 6.5 File
Open SSH Collects authentication events from devices running Open SSH.
Oracle Linux secure logs Oracle Linux secure logs.
PowerTech Interact Collects OS auditing information from IBM OS400 appliances (now called System I).
SELinux Collects events from devices running SELinux.
SMB Server Audit Collects audit events from Windows SMB Server.
Solaris 10 BSM Auditing Collects events from Solaris 10 servers running the Basic Security Module.
Solaris 10 Snare Auditing
Solaris 11 Collects events from Solaris 11 operating system.
Solaris 8 and 9 Snare Auditing
VMware ESX esxcfg-firewall log
VMware ESX hostd log
VMware ESX messages log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware ESX secure log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware ESX vmkernel log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware ESX vmkwarning log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware ESXi Hostd log Collects events from VMWare ESXi, to be run in conjunction with ESXi Messages, ESXi Hostd, and ESXi vmkernel connectors.
VMware ESXi messages log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware ESXi vmkernel log Collects events from VMWare ESX, to be run in conjunction with Messages, Secure, vmkernel and vmkwarning connectors.
VMware Unified Access Gateway Collects syslog events from VMware UAG-ESManager, Audit and Admin events.
Windows Application - Syslog Windows Application logs through Syslog.
Windows Application Log
Windows DNS Server Audit Log

To enable, a new key called Microsoft-Windows-DNSServer/Audit must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

Windows DNS Server Log
Windows DNS Traffic Log
Windows Directory Service Log
Windows File Integrity Monitoring (FIM) File and Directory

Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for files and directories on Windows servers and workstations.

Configure files and directories or dynamic patterns of files and directories to monitor and types of changes to monitor for each configured file/directory.

To learn how to configure FIM on Linux, access the following link:https://thwack.solarwinds.com/docs/DOC-190279

Windows File Integrity Monitoring (FIM) Registry

Windows File Integrity Monitor (FIM) provides configurable real-time change tracking for registry keys and folders on Windows servers and workstations.

Configure registry keys and folders or dynamic patterns of registry keys and folders to monitor and types of changes to monitor for each configured key/folder.

To learn how to configure FIM on Linux, access the following link:https://thwack.solarwinds.com/docs/DOC-190279

Windows File Replication Service
Windows Filtering Platform Events
Windows NT/2000/XP Security Log
Windows Security - Syslog Windows Security logs through Syslog.
Windows Security Log Windows Security logs (Windows 2008 and newer).
Windows System - Syslog Windows System logs through Syslog.
Windows System Log
iSecurity CEF Collects audit logs from iSecurity developed by RazLee.
iSecurity for OS400 (Raz-Lee)
linuxauditd (syslog) Normalizes Linux audit logs from syslog format into SEM.
sudo Collects events from various applications running the sudo.
sudo syslog Collects events from various applications running the sudo.
Physical Infrastructure <return to top>
APC InfraStruXure Gathers power monitoring events from InfraStuXure racks and UPS Network Management Cards. Also covers syslog events from Netbotz devices.
APC Netbotz Gathers non-syslog events from APC Netbotz devices.
Dell DRAC Dell Access Card for Remote Administration.
Dell Server Administrator Gathers Storage Management and System Events for Dell Server Administrator from the Windows Application Event Log.
EMCUnity Dell EMC Unity Storage array.
Fujitsu Blade Servers Fujitsu Blade Servers.
Fujitsu Storage ETERNUS Fujitsu Storage ETERNUS consolidates data for server virtualization, e-mail, databases and business applications, as well as centralized file services.
Grandstream Gateway Grandstream Analog VoIP Gateway integrates traditional phone systems into a VoIP network and manage communication.
HP BladeSystem Enclosure auth log Collects authorization events from HP BladeSystem enclosures.
HP BladeSystem Enclosure local log Collects authorization events from HP BladeSystem enclosures.
HP Printer Collects events from HP Color LaserJet Enterprise M750 Printer series.
HP Proliant iLO 4 HP Proliant iLO 4 and later - Light-out blade management.
HPE 3PAR StoreServ Hawlett Packard Enterprise 3PAR StoreServ.
Hitachi AMS Collects events from Hitachi Adaptable Modular Storage devices.
JACO CartCare
Tripp Lite SNMPWEBCARD Collects events from Tripp Lite SNMPWEBCARD.
TrippLitePDU TrippLitePDU is network power distribution unit distributing power supplied to the rack.
Proxies/Content Filters <return to top>
Actiance Unified Security Gateway Collects events from Unified Security Gateway appliances.
Barracuda Web Filter Collects Web traffic analysis events, by user, source, destination, configuration, and authentication, from Barracuda devices. Recommend using this connector along with the BarracudaAdmin and BarracudaWebAppFV connectors.
Blue Coat Proxy SG web access Collects Web Proxy Access events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000.
Blue Coat ProxySG Collects events from the following series of Blue Coat ProxySG appliances: 210, 300, 510, 600, 810, 8100, and 9000.
Cisco AsyncOS Access Log Cisco AsyncOS Access Log (Squid Format).
Cisco Content Security and Control Security Services Module 6.1-6.2 Collects events from Cisco Content Security and Control Security Services Module 6.1-6.2.
Cisco Content Security and Control Security Services Module 6.3+ Collects events from Cisco Content Security and Control Security Services Module 6.3.
ClearSwift Secure Email Gateway Inspection and filtering of e-mails content.
Forcepoint TRITON AP-WEB Collects events from Forcepoint TRITON AP-WEB.
FortiWeb Web Application Firewall Collects web-related events and device information from FortiWeb Web Application Firewall appliances.
IronPort Email Security Appliance Collects mail-related events and device information from IronPort Email Security appliances.
IronPort Web Security Collects web-related events and device information from IronPort Web Security appliances.
Mail Assure Collects events from Mail Assure email security.
McAfee Email Gateway Collects mail-related events and device information from McAfee Email Gateway appliances.
McAfee Web Gateway v6.x Collects web-related events and device information from McAfee Web Gateway v6.x and higher appliances.
McAfee Web Gateway v7.x Collects web-related events and device information from McAfee Web Gateway v7.x and higher appliances.
Sonicwall Email Security
Sophos ES appliance Collects events from the Sophos Email Security appliance. It should be run in conjunction with the auth connector.
Sophos ES appliance auth Collects events from the Sophos Email Security appliance. It should be run in conjunction with the auth connector.
Sophos WS appliance Collects events from the Sophos Web Security appliance.
Squid Access Log
SquidGuard Access Block Log
St. Bernard iPrism Collects events from iPrism Internet Filtering Appliances.
Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access

Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) Access events from SG600 and maybe for other Access running SGOS.

The connector requires the following fields to be set:

#Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata)

Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL

Collects Symantec Secure Web Gateway: ProxySG and ASG (Bluecoat) SSL events from SG600 and maybe for other SSL running SGOS.

The connector requires the following fields to be set:

#Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk

Symantec Web Security for Windows
SymantecWebGateway Symantec Web Gateway Malware and content filtering screening device.
Trend IWSVA Audit Log
Trend IWSVA URL Access Log
Trend IWSVA URL Block Log
Trend IWSVA Update Log
Trend IWSVA Virus Log
Trend-Micro IWSVA URL log
Websense Security Gateway Anywhere Collects device/software events from Websense Security Gateway Anywhere appliances.
Websense Web Filter and Websense Web Security Collects device/software events from Websense gateways.
Websense Web Filter and Websense Web Security Database Collects device/software events from Websense gateways.
Webtitan Webtitan - Web Content Filter.
eSafe Collects web security and email security events from the eSafe application.
Routers/Switches <return to top>
3Com Switch Gathers events from the following 3com switches: 4400, 4500, 4500G, 4800G, 5500, 5500G, 7750, 8800, S7900E.
AXIA Ethernet Switch The modular broadcast control surface from Axia Audio.
Adtran Atlas Switch Gathers events from Adtran Atlas switches.
Adtran NetVanta Router Gathers events from the following series of Adtran NetVanta routers: 1300, 1500, 2000, 3100, 3200, 3300, 3400 (Modular Access and Multiservice Access), 4000, 5000, and 7100.
Aerohive log Aerohive SR2024 SR2024P SR2148P CVG log
Alcatel-Lucent OmniSwitch Collects events from Alcatel-Lucent OmniSwitch.
Allied Telesis Routers and Switches Collects syslog data from Allied Telesis 8600 Series Fast Ethernet Layer 3 switches, and AT-41x routers.
Arista switches Collects events from arista switches.
Aruba CX switch Collects events from Arubx CX switches.
Aruba Wireless Access Point Collects events from Aruba wireless access points with firmware version 2.x.
Aruba Wireless Access Point 3x Collects events from Aruba wireless access points with firmware version 3.0 and later.
Aruba2930 Aruba 2930M-24G switch.
Aruba CX Switch Collects events from Aruba CX switches.
Avaya/Nortel VSP 7000 Ethernet Routing Switch Collects events from the following Avaya/Nortel Ethernet Routing Switches: 5510, 5520, 5530-24TFD, 8600, VSP 7000.
Blade RackSwitch Collects events from Blade RackSwitch G8100 and G8124 10G Low Latency Switches, as well as the RackSwitch G8000 1-10G Aggregation Switch.
Bluesocket vWLAN Bluesocket devices Virtual Wireless LAN.
Brocade Iron Series Collects events from Brocade Iron Series switches and routers.
Brocade VDX Switches Collects events from Brocade VDX switches.
Brocade Vyatta Router Gathers events from Brocade Vyatta Router.
Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform Cisco 4000 Series Integrated Services Routers (ISRs), Intelligent WAN platform.
Cisco CatOS Collects events from Cisco Catalyst devices running IOS 12.2+, or CatOS 6.2+.
Cisco Nexus NX-OS Collects events from Cisco Nexus Switches (running NX-OS).
Cisco Small Business 300 Series Managed Switch Collects events from the series of Cisco Sx300 Security Appliances.
Cisco Wireless LAN Controller and IOS-XE Software Collects events for Cisco Wireless LAN Controllers, as well as for IOS-XE based routers/switches.
DrayTek Vigor Series Collects logs from DrayTek Vigor series routers.
Dell Force10 Switch Collects events from Dell Force10 Switch.
Dell N Series Switches Dell Networking N2000 Series 1GbE Layer 3 Switches.
Dell PowerConnect Switches Collects events from Dell J-EX4200 and J-EX8200 Ethernet switches.
DrayTek Vigor Series Collects logs from DrayTek Vigor series routers.
Enterasys C-Series and N-Series Switches Collects events from Enterasys C-Series and N-Series switches.
Enterasys IdentiFi Wireless Controller Collects events for Enterasys IdentiFi Wireless Controller.
Extreme Networks VSP Extreme Networks VSP collects events from Virtual Services Platform devices.
Extreme Switch Collects events from the following Extreme Networks Alpine, BlackDiamond, and Summit switches.
Foundry Collects events from the following Brocade FastIron switches: 1500, 400, 800, and Edge Switches 2402, 4802, and 9604.
FreeWave
HP MSM700 Series Controller Collects network traffic events, changes to the device, device issues, and authentication events from MSM wireless controller devices.
HP ProCurve 1910-24G-PoE Switch and H3C Collects Events for HP Procurve 1910-24G-PoE Switch, H3C and FlexFabric Switch series.
HP ProCurve Switches Firmware F.05.65+ Zl Series Collects events for HP ProCurve switches running Firmware version F.05.65+.
HP Router Gathers events from the HP 930 MSR Router.
Hirschmann OpenRail System Compact Switch Collects events specific to Hirschmann OpenRail System Compact Switch appliances.
Huawei Switches Collects events from Huawei switches.
Juniper JUNOS Collects events from Juniper routers and switches running JUNOS.
Junos Pulse Gateway Junos Pulse Gateway provides SSL/VPN, network access control, and application acceleration.
Meru Wireless Meru MC3200 Meru Wireless Controller.
MetaSwitch Universal Media Gateway Collects events from MetaSwitch Universal Media Gateway MG6050. The connector should work for other versions as well.
Mikrotik Routers Provides wireless ISP systems for Internet connectivity around the world.
Motorola WLAN Controller Collects events from Motorolla WLAN controller 4000 series appliances.
Motorola WS2000 snmp Gathers events from the Motorola WS2000 series switches through SNMP.
Moxa Ethernet Switches Collects events from Moxa ICS-67528A and EDS-G516E series Ethernet switches.
NEC IX Router Collects events from NEC IX Series routers.
Netgear Switch Collects events from Netgear switches.
Nokia Switch Collects events from Nokia 7750 and 7210 switches.
Nortel Baystack Collects events from Nortel Baystack switches.
Nortel Contivity 200 Series Collects events from Nortel Contivity secure IP gateways (200 series).
Nortel Ethernet Routing Switch 4500 Series Collects events from the Nortel Ethernet 4500 Series Routing Switches, which are now subsidiaries of Avaya.
Nortel WLAN Security Switch Collects events from the following Nortel WLAN Security Switches: WLAN Access Point 2330, 2330A, 2330B, 2332, 2350, 2360/2361, 2380, and 2382.
Proxim Orinoco WAP Collects events from the proxim Orinoco Wireless Access Point.
QLogic Fibre Channel Switch Collects events from QLogic Fibre Channel Switches.
Raritan Dominion Switch Collects events from the Raritan Dominion KVM-over-IP switches.
Ruckus ZoneDirector Wireless LAN Controller Collects events for Ruckus ZoneDirector Wireless LAN controllers.
RuggedCom Switch Collects events from the RuggedCom Switches: M2100, RST2228, and RX1500 switches.
SilverPeak WAN Acceleration and Optimization SilverPeak WAN Acceleration and Optimization.
Telco Switch Layer2 switch by Telco Systems.
Velocloud Collects events from the VMWare Velocloud firewall.
Xirrus WiFi Array Collects events from Xirrus wireless arrays.
ZyXEL P-660HW-T Gathers events from ZyXEL's P-660HW-T 802.11g Wireless ADSL 2+ 4-port Gateway.
ZyXEL XGS4528F Gathers events from ZyXEL's XGS4528F.
Security and UTM <return to top>
Cyberoam UTM Collects events from Cyberoam UTM appliances.
Enforcive Enterprise Security Enforcive/Enterprise Security for IBM i: access control, security, compliance and log management.
FireEye Malware Protection System Collects events from FireEye MPS appliance.
FortiAuthenticator Collects FortiAuthenticator events.
FortiGate 2.5 Collects events from Fortigate UTM appliances that use firmware version 2.5.
FortiGate 2.8+ Collects events from Fortigate UTM appliances that use firmware version 2.8 and later.
FortiGate 300C Collects events from Fortigate UTM appliances that use firmware version 300C.
FortiMail Email Security Appliances FortiMail is a complete Secure Email Gateway platform suitable for any size organization.
McAfee Network and Security Platform (IntruShield) - deprecated

Collects events from McAfee Network and Security Platform (IntruShield).

This connector is deprecated. As an alternative, use the McAfee Network Security Manager.

Meraki MX Collects events from Meraki MX Security Appliance.
Proofpoint Enterprise Protection Protects business from email threats and other forms of objectionable or dangerous content.
SmoothWall Unified Threat Manager Collects events from SmoothWall UTM appliances and software.
Sophos UTM 9 Collects events from Sophos UTM 9
Sophos UTM 9 (non unix syslog timestamp) Collects events from Sophos UTM 9 that start with date-time (format YYYY:MM:DD-HH:MM:SS) instead of unix syslog timestamp.
WatchGuard Firebox Outdated. Use WatchguardFirewalls.xml.
WatchGuard Firebox X Edge E-Series Outdated. Use WatchguardFirewalls.xml
WatchGuard SOHO
WatchGuard Xcore Outdated. Use WatchguardFirewalls.xml.
Zscaler Web Security / Advanced Security Zscaler protects from malware, viruses, advanced persistent threats, and other risks. It can also stop inadvertent or malicious leaks of a company's sensitive data.
cyphort threat protection Network-based Next Generation APT Defense.
fireEye HX fireEye HX
Storage <return to top>
Dell Compellent storage Collects logs from Dell Compellent Storage Area Network (SAN) controllers.
Dell Equallogic storage area network systems EqualLogic products are iSCSI-based storage area network systems marketed by Dell.
HP StorageWorks Modular Smart Array Collects device information events for StorageWorks arrays.
IBM NetApp ONTAP Collects device information events for NetApp appliances.
NetApp Gathers events from NetApp.
NetApp ONTAP OnCommand Collects events for ONTAP Cluster Management using OnCommand System Manager.
Qumulo Covers logs from Qumulo Core.
System Scan Reporters <return to top>
ForeScout CounterACT NAC
Nessus Message
Nessus Report
Nessus Security Scanner NBE Report
Nessus XML Report
PatchLink Vulnerability
QualysGuard Scan Report
Rapid7 NeXpose Vulnerability Scanner
Retina
VPN and Remote Access <return to top>
Array Networks SPX Collects events from Array Networks Secure Access Gateways.
Azure Multi-Factor Authentication Server Multi-Factor authentication for hybrid environments.
Barracuda SSL VPN Connector Collects events from Barracuda SSL VPN appliance.
Cisco VPN Collects events for Cisco VPN concentrators.
Citrix Secure Access Gateway Collects events about application access, configuration, and user monitoring from Citrix secure access gateways.
Citrix Secure Gateway Access - XenApp Server
Citrix XenDesktop
Citrix XenServer auth log Collects authorization events from Citrix devices.
Citrix XenServer daemon log Collects daemon log events from Citrix devices.
Corente AWB Collects events from the Corente AWB application.
FirePass SSL VPN Collects SSL VPN authentication and VPN access events on F5 FirePass appliances.
Neo Accel SSL VPN Collects SSL VPN authentication and VPN access events on Neo Accel SSL VPN appliances.
Neoteris VPN/Juniper SA series Collects SSL VPN authentication and VPN access events on Juniper SA series SSL VPN appliances.
Netgear SSL VPN Concentrator SSL312 Collects SSL VPN authentication and VPN access events on Netgear SSL VPN Concentrator appliances.
Netilla VPN Collects SSL VPN authentication and VPN access events on Netilla VPN appliances.
Nortel Contivity Collects events from the following Nortel Contivity secure IP gateways: 1000, 1750, 2700, 500, and 600.
OpenVPN Collects VPN-related events from devices running OpenVPN.
Permeo VPN Collects events from Permeo VPN appliances.
PulseSecure

Collects logs from Pulse Connect Secure and Pulse Policy Secure.

There should be two instances of this connector. One points to the user.log facility and one to the localX.log facility.

RemotelyAnywhere / LogMeIn
Riverbed Steelhead WAN Optimization Collects events from the Riverbed Steelhead WAN Optimization appliance.
SonicWALL Aventail SSL VPN E-Class and SMA Collects events from Dell Aventail SSL VPN E-series and SMA (Secure Mobile Access) appliances.
SonicWALL SSL VPN Collects events from Dell Aventail SSL VPN appliances (NOT E-class).
SonicWall E-Class SRA Collects events from Dell SonicWALL E-Class Secure Remote Access appliances.
TeamViewer Collects TeamViewer connection logs.
Ultra VNC
VMware Horizon 7 VMware Horizon 7
WatchGuard Vclass
WatchGuard Vclass (Alarm)
WatchGuard Vclass (VPN)
pcAnywhere
WebServer <return to top>
AnyEvent
Apache (syslog) Covers Apache-style logs sent through syslog (starting with the Apache Common Log format), including Fastly apache-style logs.
Apache Access
Apache Access Rotating
Apache Error
Apache Error Rotating
Apache Tomcat isapi_redirect
Atlassian BitBucket Server Atlassian BitBucket is a web-based version control repository hosting service
EscalationAssignmentAbortedEvent
Guidewire

Guidewire captures Tomcat log from Guidewire.

Apache Tomcat is an open source web server/Java Servlet Container

IIS error connector IIS error connector.
Incapsula Web Application Firewall
LanguageAssignmentEvent
Localhost Apache Access
Microsoft Forefront Threat Management Gateway 2010 Web Proxy(W3C Server file format) Collects Microsoft Forefront Threat Management Gateway log messages from files in W3C format.
Microsoft IIS Advanced Logging
Microsoft IIS Web Server 10.0 (W3C Extended file format)
Microsoft IIS Web Server 5.0 (W3C Extended file format)
Microsoft IIS Web Server 6.0 (W3C Extended file format)
Microsoft IIS Web Server 7.0 (W3C Extended file format)
Microsoft IIS Web Server 8.5 (W3C Extended file format)
Microsoft IIS Web Server 8.5 (W3C Extended file format) Enhanced Logging

MicrosoftIISLogging via Windows Event Log

Internet Information Services logging thorugh Windows Event Log.

To enable, a new key called Microsoft-IIS-Logging/Logs must be added to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

See this KB article for an example implemented on a different connector.

MilestoneXProtect_C
MilestoneXProtect_Configuration
MilestoneXProtect_audit
NGINX Error
NetMotion Mobility Server_mobility events
NetMotion Mobility Server_nmact events
NetMotion Mobility Warehouse_Access events
NetMotion Mobility Warehouse_Error events
SignonEvents
SingleSignonEvents
Syncplify.Me (W3C Extended File Format) Gathers logs from Syncplify.me (a secure sftp server) in W3C format stored locally in a flatfile.
Tomcat ASC Config Change event Tomcat ASC Config Change event.
Tomcat Cluster Event Tomcat Cluster Event.
Tomcat Common daemon Tomcat Common daemon.
Webdefend-Trustwave Web application firewall that logs events based on actions taken on web traffic to prevent attacks.
Websphere 7 SystemOut Log