JSA Supported DSMs
JSA can collect events from your security products by using a plugin file that is called a Device Support Module (DSM).
The following table lists supported DSMs for third-party and JSA solutions.
Table 1: JSA Supported DSMs
Manufacturer | Device name and version | Protocol | Recorded events and formats | Auto discovered? | Includes identity? | Includes custom properties? |
|---|---|---|---|---|---|---|
3Com | 8800 Series Switch V3.01.30 | Syslog | Status and network condition events | Yes | No | No |
AhnLab | AhnLab Policy Center | AhnLabPolicy CenterJdbc | Spyware detection Virus detection Audit | No | Yes | No |
Akamai | Akamai KONA | HTTP Receiver Akamai Kona REST API | Warn Rule Events Deny Rule Events Event format: JSON Recorded event types: All security events | No | No | No |
Amazon | Amazon GuardDuty | Amazon GuardDuty | Amazon GuardDuty Findings JSON | No | No | No |
Amazon | Amazon AWS CloudTrail | Amazon AWS S3 REST API | All version 1.0, 1.02, 1.03, and 1.04 events. | No | No | No |
Ambiron | TrustWave ipAngel V4.0 | Syslog | Snort-based events | No | No | No |
Apache | HTTP Server V1.3+ | Syslog | HTTP status | Yes | No | No |
APC | UPS | Syslog | Smart-UPS series events | No | No | No |
Apple | Mac OS X (10) | Syslog | Firewall, web server (access/error), privilege, and information events | No | Yes | No |
Application Security, Inc. | DbProtect V6.2, V6.3, V6.3sp1, V6.3.1, and v6.4 | Syslog | All events | Yes | No | No |
Arbor Networks | Arbor Networks Pravail APS V3.1+ | Syslog, TLS Syslog | All events | Yes | No | No |
Arbor Networks | Arbor Networks Peakflow SP V5.8 to V8.12 | Syslog, TLS Syslog | Denial of Service (DoS) Authentication Exploit Suspicious activity System | Yes | No | No |
Arpeggio Software | SIFT-IT V3.1+ | Syslog | All events configured in the SIFT-IT rule set | Yes | No | No |
Array Networks | SSL VPN ArraySP V7.3 | Syslog | All events | No | Yes | Yes |
Aruba Networks | ClearPass Policy Manager V6.5.0.71095 and above | Syslog | LEEF | Yes | Yes | No |
Aruba Networks | Mobility Controllers V2.5 + | Syslog | All events | Yes | No | No |
Avaya Inc. | Avaya VPN Gateway V9.0.7.2 | Syslog | All events | Yes | Yes | No |
BalaBit IT Security | Microsoft Windows Security Event Log V4.x | Syslog | Microsoft Event Log Events | Yes | Yes | No |
BalaBit IT Security | Microsoft ISA V4.x | Syslog | Microsoft Event Log Events | Yes | Yes | No |
Barracuda Networks | Spam & Virus Firewall V5.x and later | Syslog | All events | Yes | No | No |
Barracuda Networks | Web Application Firewall V7.0.x | Syslog | System, web firewall, access, and audit events | Yes | No | No |
Barracuda Networks | Web Filter V6.0.x+ | Syslog | Web traffic and web interface events | Yes | No | No |
Bit9 | Carbon Black V5.1 and later | Syslog | Watchlist hits | Yes | No | No |
Bit9 | Bit9 Parity | Syslog | LEEF | Yes | No | |
Bit9 | Security Platform V6.0.2 and later | Syslog | All events | Yes | Yes | No |
BlueCat Networks | Adonis V6.7.1-P2+ | Syslog | DNS and DHCP events | Yes | No | No |
Blue Coat | SG V4.x+ | Syslog Log File Protocol | All events | No | No | Yes |
Blue Coat | Web Security Service | Blue Coat ELFF, Access | No | No | No | |
Bridgewater Systems | AAA V8.2c1 | Syslog | All events | Yes | Yes | No |
Brocade | Fabric OS V7.x | Syslog | System and audit events | Yes | No | No |
CA | Access Control Facility V12 to V15 | Log File Protocol | All events | No | No | Yes |
CA | SiteMinder | Syslog | All events | No | No | No |
CA | Top Secret V12 to V15 | Log File Protocol | All events | No | No | Yes |
Centrify | Centrify Identity Platform | Centrify Redrock REST API | Event format: JSON Event types: SaaS, Core, Internal and Mobile | No | No | No |
Carbon Black | Carbon Black V5.1 and later | Syslog | Watchlist hits | Yes | No | No |
Carbon Black | Carbon Black Protection V8.0.0 | Syslog | LEEF Computer Management Server Management Session Management Policy Management, Policy Enforcement Internal Events General Management Discovery | Yes | Yes | No |
Carbon Black | Carbon Black Bit9 Parity | Syslog | LEEF | Yes | No | |
Carbon Black | Carbon Black Bit9 Security Platform V6.0.2 | Syslog | All events | Yes | Yes | No |
Centrify | Centrify Identity Platform | Centrify Redrock REST API | Event format: JSON Event types: SaaS, Core, Internal and Mobile | No | No | No |
Centrify | Centrify Infrastructure Services 2017 | Syslog and WinCollect | WinCollect logs, Audit events | Yes | No | No |
Check Point | Check Point versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, R80, NGX, and R75 | Syslog or OPSEC LEA | All events | Yes | Yes | Yes |
Check Point | VPN-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77 NGX | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Check Point | Check Point Multi-Domain Management (Provider-1) versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Cilasoft | Cilasoft QJRN/400 V5.14.K+ | Syslog | IBM audit events | Yes | Yes | No |
Cisco | 4400 Series Wireless LAN Controller V7.2 | Syslog or SNMPv2 | All events | No | No | No |
Cisco | CallManager V8.x | Syslog | Application events | Yes | No | No |
Cisco | ACS V4.1 and later if directly from ACS V3.x and later if using ALE | Syslog | Failed Access Attempts | Yes | Yes | No |
Cisco | Aironet V4.x+ | Syslog | Cisco Emblem Format | Yes | No | No |
Cisco | ACE Firewall V12.2 | Syslog | All events | Yes | Yes | No |
Cisco | ASA V7.x and later | Syslog | All events | Yes | Yes | No |
Cisco | ASA V7.x+ | NSEL Protocol | All events | No | No | No |
Cisco | CSA V4.x, V5.x and V6.x | Syslog SNMPv1 SNMPv2 | All events | Yes | Yes | No |
Cisco | CatOS for catalyst systems V7.3+ | Syslog | All events | Yes | Yes | No |
Cisco | Cloud Web Security (CWS) | Amazon AWS S3 REST API | W3C All web usage logs | No | No | No |
Cisco | Cisco Stealthwatch V6.8 | Syslog | Event format: LEEF Event types: Anomaly, Data Hoarding, Exploitation, High Concern, Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfilration, C&C | Yes | No | No |
Cisco | IPS V7.1.10 and later, V7.2.x, V7.3.x | SDEE | All events | No | No | No |
Cisco | Cisco IronPort V5.5, V6.5, V7.1, V7.5 (adds support for access logs) Cisco IronPort ESA: V10.0 Cisco IronPort WSA: V10.0 | Syslog, Log File protocol | Event format: All events Recorded event types: Mail (syslog) System (syslog) Access (syslog) Web content filtering (Log File) | No | No | No |
Cisco | IronPort V5.5, V6.5, V7.1, and V7.5 | Syslog, Log File Protocol | All events | No | No | No |
Cisco | FireSIGHT Management Center V4.8.0.2 to V6.0.0 (formerly known as Sourcefire Defense Center) | FireSIGHT Management Center | Intrusion events and extra data Correlation events Metadata events Discovery events Host events User events Malware events File events | No | No | No |
Cisco | Cisco Firepower Management Center V5.2 to V6.2.0.1 (formerly known as Cisco FireSIGHT Management Center) | Cisco Firepower eStreamer protocol | Discovery events Correlation and White List events Impact Flag alerts User activity Malware events File events Connection events Intrusion events Intrusion Event Packet Data Intrustion Event Extra Data | No | No | No |
Cisco | Firewall Service Module (FWSM) v2.1+ | Syslog | All events | Yes | Yes | Yes |
Cisco | Catalyst Switch IOS, 12.2, 12.5+ | Syslog | All events | Yes | Yes | No |
Cisco | Cisco Meraki | Syslog | Event format: Syslog Event types: Events Flows security_event_ids_alerted | |||
Cisco | NAC Appliance v4.x + | Syslog | Audit, error, failure, quarantine, and infected events | No | No | No |
Cisco | Nexus v6.x | Syslog | Nexus-OS events | Yes | No | No |
Cisco | PIX Firewall v5.x, v6.3+ | Syslog | Cisco PIX events | Yes | Yes | Yes |
Cisco | IOS 12.2, 12.5+ | Syslog | All events | Yes | Yes | No |
Cisco | Cisco Umbrella | Amazon AWS S3 REST API | Event format: Cisco Umbrella CSV Event types: Audit | No | No | No |
Cisco | VPN 3000 Concentrator versions VPN 3005, 4.1.7.H | Syslog | All events | Yes | Yes | Yes |
Cisco | Wireless Services Modules (WiSM) V 5.1+ | Syslog | All events | Yes | No | No |
Cisco | Identity Services Engine V1.1 to V2.2 | UDP Multiline Syslog | Event types: Audit Event types: Device events | No | Yes | No |
Citrix | NetScaler V9.3 to V10.0 | Syslog | All events | Yes | Yes | No |
Citrix | Access Gateway V4.5 | Syslog | Access, audit, and diagnostic events | Yes | No | No |
Cloudera | Cloudera Navigator | Syslog | Audit events for HDFS, HBase, Hive, Hue, Cloudera Impala, Sentry | Yes | No | No |
CloudPassage | CloudPassage Halo | Syslog, Log file | All events | Yes | No | No |
CrowdStrike | Falcon Host V1.0 | Syslog LEEF | Falcon Host Detection Summary Falcon Host Authentication Log Falcon Host Detect Status Update Logs Customer IOC Detect Event Hash Spreading Event | Yes | No | No |
CorreLog | CorreLog Agent for IBMz/OS | Syslog LEEF | All events | Yes | No | No |
CRYPTOCard | CRYPTO- Shield V6.3 | Syslog | All events | No | No | No |
CyberArk | CyberArk Privileged Threat Analytics V3.1 | Syslog | Detected security events | Yes | No | No |
CyberArk | CyberArk Vault V6.x | Syslog | All events | Yes | Yes | No |
CyberGuard | Firewall/VPN KS1000 V5.1 | Syslog | CyberGuard events | Yes | No | No |
Damballa | Failsafe V5.0.2+ | Syslog | All events | Yes | No | No |
Digital China Networks | DCS and DCRS Series switches V1.8.7 | Syslog | DCS and DCRS IPv4 events | No | No | No |
DG Technology | DG Technology MEAS | LEEF Syslog | Mainframe events | Yes | No | No |
ESET | ESET Remote Administrator V6.4.270 | Syslog LEEF | Threat events Firewall Aggregated Event HIPS Aggregated Event Audit events | Yes | No | No |
Extreme | Dragon V5.0, V6.x, V7.1, V7.2, V7.3, and V7.4 | Syslog SNMPv1 SNMPv3 | All relevant Extreme Dragon events | Yes | No | No |
Extreme | 800-Series Switch | Syslog | All events | Yes | No | No |
Extreme | Matrix Router V3.5 | Syslog SNMPv1 SNMPv2 SNMPv3 | SNMP and syslog login, logout, and login failed events | Yes | No | No |
Extreme | NetSight Automatic Security Manager V3.1.2 | Syslog | All events | Yes | No | No |
Extreme | Matrix N/K/S Series Switch V6.x, V7.x | Syslog | All relevant Matrix K-Series, N-Series and S-Series device events | Yes | No | No |
Extreme | Stackable and Standalone Switches | Syslog | All events | Yes | Yes | No |
Extreme | XSR Security Router V7.6.14.0002 | Syslog | All events | Yes | No | No |
Extreme | HiGuard Wireless IPS V2R2.0.30 | Syslog | All events | Yes | No | No |
Extreme | HiPath Wireless Controller V2R2.0.30 | Syslog | All events | Yes | No | No |
Extreme | NAC V3.2 and V3.3 | Syslog | All events | Yes | No | No |
Enterprise-IT- | SF-Sherlock V8.1 and later | LEEF | All_Checks, DB2_Security_Configuration, JES_Configuration, Job_Entry_System_Attack, Network_Parameter, Network_Security, No_Policy, Resource_Access_Viol, Resource_Allocation, Resource_Protection, Running_System_Change, Running_System_Security, Running_System_Status, Security_Dbase_Scan, Security_Dbase_Specialty, Security_Dbase_Status, Security_Parm_Change, Security_System_Attack, Security_System_Software, Security_System_Status, SF-Sherlock, Sherlock_Diverse, Sherlock_Diverse, Sherlock_Information, Sherlock_Specialties, Storage_Management, Subsystem_Scan, Sysplex_Security, Sysplex_Status, System_Catalog, System_File_Change, System_File_Security, System_File_Specialty, System_Log_Monitoring, System_Module_Security, System_Process_Security, System_Residence, System_Tampering, System_Volumes, TSO_Status, UNIX_OMVS_Security, UNIX_OMVS_System, User_Defined_Monitoring, xx_Resource_Prot_Templ | Yes | No | No |
Epic | Epic SIEM, version Epic 2014, Epic 2015, and Epic 2017 | LEEF | Audit, Authentication | Yes | Yes | No |
Exabeam | Exabeam V1.7 and V2.0 | not applicable | Critical, Anomalous | Yes | No | No |
Extreme Networks | Extreme Ware V7.7 and XOS V12.4.1.x | Syslog | All events | No | Yes | No |
F5 Networks | BIG-IP AFM V11.3 | Syslog | Network, network DoS, protocol security, DNS, and DNS DoS events | Yes | No | No |
F5 Networks | BIG-IP LTM V4.5, V9.x to V11.x | Syslog | All events | No | Yes | No |
F5 Networks | BIG-IP ASM V10.1 to V13.0 | Syslog | All events Common Event Format (CEF) formatted messages | No | Yes | No |
F5 Networks | BIG-IP APM V10.x, and V11.x | Syslog | All events | Yes | No | No |
F5 Networks | FirePass V7.0 | Syslog | All events | Yes | Yes | No |
Fair Warning | Fair Warning V2.9.2 | Log File Protocol | All events | No | No | No |
Fasoo | Fasoo Enterprise DRM V5.0 | JDBC | NVP event format Usage events | No | No | No |
Fidelis Security Systems | Fidelis XPS V7.3.x | Syslog | Alert events | Yes | No | No |
FireEye | FireEye CMS, MPS, EX, AX, NX, FX, and HX | Syslog, TLS Syslog | All relevant events Common Event Format (CEF) formatted messages Log Event Extended Format (LEEF) | Yes | No | No |
FreeRADIUS | FreeRADIUS V2.x | Syslog | All events | Yes | Yes | No |
Forcepoint | Forcepoint Sidewinder V6.1 (formerly known as McAfee Firewall Enterprise V6.1) | Syslog | Forcepoint Sidewinder audit events | Yes | No | No |
Forcepoint RTC 148827 | Stonesoft Management Center V5.4 to 6.1 | Stonesoft Management Center V5.4 to 6.1 | Event format: LEEF Event types: Management Center, IPS, Firewall, and VPN events | Yes | No | No |
Forcepoint (formerly known as Websense) | TRITON V7.7, and V8.2 | Syslog | All events | Yes | No | No |
Forcepoint (formerly known as Websense) | V-Series Data Security Suite (DSS) V7.1x | Syslog | All events | Yes | Yes | Yes |
Forcepoint (formerly known as Websense) | V-Series Content Gateway V7.1x | Log File Protocol | All events | No | No | No |
ForeScout | CounterACT V7.x and later | Syslog | Denial of Service, system, exploit, authentication, and suspicious events | No | No | No |
Fortinet | FortiGate Security Gateway FortiOS V5.6 and earlier | Syslog Syslog Redirect | All events | Yes | Yes | Yes |
Foundry | FastIron V3.x.x and V4.x.x | Syslog | All events | Yes | Yes | No |
genua | genugate V8.2+ | Syslog | General error messages High availability General relay messages Relay-specific messages genua programs/daemons EPSI Accounting Daemon - gg/src/acctd Configfw FWConfig ROFWConfig User-Interface Webserver | Yes | Yes | No |
Great Bay | Beacon | Syslog | All events | Yes | Yes | No |
H3C Technologies | H3C Comware Platform, H3C Switches, H3C Routers, H3C Wireless LAN Devices, and H3C IP Security Devices V7 is supported | Syslog | NVP System | No | No | No |
HBGary | Active Defense V1.2 and later | Syslog | All events | Yes | No | No |
HP | Network Automation V10.11 | Syslog LEEF | All operational and configuration network events. | Yes | Yes | No |
HP | ProCurve K.14.52 | Syslog | All events | Yes | No | No |
HP | Tandem | Log File Protocol | Safe Guard Audit file events | No | No | No |
HP | UX V11.x and later | Syslog | All events | No | Yes | No |
Honeycomb Technologies | Lexicon File Integrity Monitor mesh service V3.1 and later | Syslog | integrity events | Yes | No | No |
Huawei | S Series Switch S5700, S7700, and S9700 using V200R001C00 | Syslog | IPv4 events from S5700, S7700, and S9700 Switches | No | No | No |
Huawei | AR Series Router (AR150, AR200, AR1200, AR2200, and AR3200 routers using V200R002C00) | Syslog | IPv4 events | No | No | No |
IBM | AIX V6.1 and V7.1 | Syslog, Log File Protocol | Configured audit events | Yes | No | No |
IBM | AIX 5.x, 6.x, and v7.x | Syslog | Authentication and operating system events | Yes | Yes | No |
IBM | AS/400 iSeries DSM V5R4 and later | Log File Protocol | All events | No | Yes | No |
IBM | AS/400 iSeries - Robert Townsend Security Solutions V5R1 and later | Syslog | CEF formatted messages | Yes | Yes | No |
IBM | AS/400 iSeries - Powertech Interact V5R1 and later | Syslog | CEF formatted messages | Yes | Yes | No |
IBM | BigFixV8.2.x to 9.5.2 (formerly known as Tivoli EndPoint Manager) | IBM BigFix SOAP Protocol | Server events | No | No | No |
IBM | IBM BigFix Detect | IBM BigFix EDR REST API Protocol | LEEF, IOC and IOA alerts | Yes | No | No |
IBM | Bluemix Platform | Syslog, TLS Syslog | All System (Cloud Foundry) events, some application events | Yes | No | No |
IBM | Federated Directory Server V7.2.0.2 and later | LEEF | FDS Audit | Yes | No | No |
IBM | InfoSphere 8.2p45 | Syslog | Policy builder events | No | No | No |
IBM | ISS Proventia M10 v2.1_2004.1122_15.13.53 | SNMP | All events | No | No | No |
IBM | Lotus Domino v8.5 | SNMP | All events | No | No | No |
IBM | Proventia Management SiteProtector v2.0 and v2.9 | JDBC | IPS and audit events | No | No | No |
IBM | RACF v1.9 to v1.13 | Log File Protocol | All events | No | No | Yes |
IBM | CICS v3.1 to v4.2 | Log File Protocol | All events | No | No | Yes |
IBM | DB2 v8.1 to v10.1 | Log File Protocol | All events | No | No | Yes |
IBM | IBM DataPower FirmwareV6 and V7 (formerly known as WebSphere DataPower) | Syslog | All events | Yes | No | No |
IBM | IBM Fiberlink MaaS360 | LEEF | Compliance rule events Device enrollment events Action history events | No | Yes | No |
IBM | IBM JSA Packet Capture IBM JSA Packet Capture 2014.3 to 2014.8 IBM JSA Network Packet Capture V7.3.0 | Syslog, LEEF | All events | Yes | No | No |
IBM | IBM SAN Volume Controller | Syslog | CADF event format | Yes | No | No |
IBM | z/OS v1.9 to v1.13 | Log File Protocol | All events | No | No | Yes |
IBM | Informix v11 | Log File Protocol | All events | No | No | No |
IBM | IMS | Log File Protocol | All events | No | No | No |
IBM | Security Identity Governance (ISIG) | JDBC | NVP event format Audit event type | No | No | No |
IBM | Security Network Protection (XGS) v5.0 with fixpack 7 to v5.4 | Syslog | System, access, and security events | Yes | No | No |
IBM | Security Network IPS v4.6 and later | Syslog | Security, health, and system events | Yes | No | No |
IBM | Security Identity Manager 6.0.x and later | JDBC | Audit and recertification events | No | Yes | No |
IBM | IBM Security Trusteer Apex Advanced Malware Protection | Syslog/LEEF Log File Protocol | Malware Detection Exploit Detection Data Exfiltration Detection Lockdown for Java Event File Inspection Event Apex Stopped Event Apex Uninstalled Event Policy Changed Event ASLR Violation Event ASLR Enforcement Event Password Protection Event | Yes | Yes | No |
IBM | IBM Sense v1 | Syslog | LEEF | Yes | No | No |
IBM | IBM SmartCloud Orchestrator v2.3 FP1 and later | IBM SmartCloud Orchestrator REST API | Audit Records | No | Yes | No |
IBM | Tivoli Access Manager IBM Web Security Gateway v7.x | Syslog | audit, access, and HTTP events | Yes | Yes | No |
IBM | Tivoli Endpoint Manager v8.2.x and later | IBM Tivoli Endpoint Manager SOAP Protocol | Server events | No | Yes | No |
IBM | WebSphere Application Server v5.0 to v8.5 | Log File Protocol | All events | No | Yes | No |
IBM | WebSphere DataPower (now known as DataPower) WebSphere DataPower | |||||
IBM | zSecure Alert v1.13.x and later | UNIX syslog | Alert events | Yes | Yes | No |
IBM | Security Access Manager v8.1 and v8.2 | Syslog | Audit, system, and authentication events | Yes | No | No |
IBM | Security Directory v6.3.1 and later | Syslog LEEF | All events | Yes | Yes | No |
Imperva | Incapsula | LEEF | Access events and Security alerts | Yes | No | No |
Imperva | SecureSphere v6.2 and v7.x Release Enterprise Edition (Syslog) SecureSphere v9.5 to v11.5 (LEEF) | Syslog LEEF | All events | Yes | No | No |
Infoblox | NIOS v6.x | Syslog | All events | No | Yes | No |
Internet Systems Consortium (ISC) | BIND v9.9, v9.11 | Syslog | All events | Yes | No | No |
Intersect Alliance | SNARE Enterprise Windows Agent | Syslog | Microsoft Event Logs | Yes | Yes | No |
iT-CUBE | agileSI v1.x | SMB Tail | AgileSI SAP events | No | Yes | No |
Itron | Openway Smart Meter | Syslog | All events | Yes | No | No |
Juniper Networks | AVT | JDBC | All events | No | No | Yes |
Juniper Networks | DDoS Secure Juniper Networks DDoS Secure is now known as NCC Group DDoS Secure. | Syslog | All events | Yes | No | No |
Juniper Networks | DX | Syslog | Status and network condition events | Yes | No | Yes |
Juniper Networks* | Infranet Controller v2.1, v3.1 & v4.0 | Syslog | All events | No | Yes | Yes |
Juniper Networks | Firewall and VPN v5.5r3 and later | Syslog | Juniper Firewall events | Yes | Yes | Yes |
Juniper Networks | Junos WebApp Secure v4.2.x | Syslog | Incident and access events | Yes | No | No |
Juniper Networks | IDP v4.0, v4.1 & v5.0 | Syslog | Juniper IDP events | Yes | No | Yes |
Juniper Networks | Network and Security Manager (NSM) and Juniper SSG v2007.1r2 to 2007.2r2, 2008.r1, 2009r1.1, 2010.x | Syslog | Juniper NSM events | Yes | No | Yes |
Juniper Networks | Junos OS v7.x to v10.x Ex Series Ethernet Switch DSM only supports v9.0 to v10.x | Syslog or PCAP Syslog*** | All events | Yes** | Yes | Yes |
Juniper Networks | Secure Access RA Juniper Networks Secure Access is now known as Pulse Secure Pulse Connect Secure. | |||||
Juniper Networks | Juniper Security Binary Log Collector SRX or J Series appliances at v12.1 or above | Binary | Audit, system, firewall, and IPS events | No | No | Yes |
Juniper Networks | Steel-Belted Radius v5.x and later | Syslog | All events | Yes | Yes | Yes |
Juniper Networks | vGW Virtual Gateway v4.5 | Syslog | Firewall, admin, policy and IDS Log events | Yes | No | No |
Juniper Networks | Wireless LAN Controller Wireless LAN devices with Mobility System Software (MSS) V7.6 and later | Syslog | All events | Yes | No | No |
Kaspersky | Security Center v9.2 and later | JDBC, LEEF | Antivirus, server, and audit events | No | Yes | No |
Kaspersky | Threat Feed Service | Syslog | Detect, Status, Evaluation | Yes | No | No |
Kisco | Kisco Information Systems SafeNet/i V10.11 | Log File | All events | No | No | No |
Lastline | Lastline Enterprise 6.0 | LEEF | Anti-malware | Yes | No | No |
Lieberman | Random Password Manager v4.8x | Syslog | All events | Yes | No | No |
LightCyber | LightCyber Magna V3.9 | Syslog, LEEF | C&C, exfilt, lateral, malware and recon | Yes | No | No |
Linux | Open Source Linux OS v2.4 and later | Syslog | Operating system events | Yes | Yes | No |
Linux | DHCP Server v2.4 and later | Syslog | All events from a DHCP server | Yes | Yes | No |
Linux | IPtables kernel v2.4 and later | Syslog | Accept, Drop, or Reject events | Yes | No | No |
McAfee | Application / Change Control v4.5.x | JDBC | Change management events | No | Yes | No |
McAfee | ePolicy Orchestrator v3.5 to v5.x | JDBC, SNMPv2, SNMPv3 | AntiVirus events | No | No | No |
McAfee | Firewall Enterprise v6.1 | Syslog | Firewall Enterprise events | Yes | No | No |
McAfee | Intrushield v2.x - v5.x | Syslog | Alert notification events | Yes | No | No |
McAfee | Intrushield v6.x - v7.x | Syslog | Alert and fault notification events | Yes | No | No |
McAfee | Web v6.0.0 and later | Syslog, Log File Protocol | All events | Yes | No | No |
MetaInfo | MetaIP v5.7.00-6059 and later | Syslog | All events | Yes | Yes | No |
Microsoft | Azure | Syslog Microsoft Azure Event Hubs | Event formats: LEEF, JSON Recorded event types: Network Security Group (NSG) Flow logs, Network Security Group (NSG) Logs, Authorization, Classic Compute, Classic Storage, Compute, Insights, KeyVault, SQL, Storage, Automation, Cache, CDN, Devices, Event Hub, HDInsight, Recovery Services, Recovery Services, AppService, Batch, Bing Maps, Certificate Registration, Cognitive Services, Container Service, Content Moderator, Data Catalog, Data Factory, Data Lake Analytics, Data Lake Store, Domain Registration, Dynamics LCS, Features, Logic, Media, Notification Hubs, Search, Servicebus, Support, Web, Scheduler, Resources, Resource Health, Operation Insights, Market Place Ordering, API Management, AD Hybrid Health Service, Server Management | Yes | No | No |
Microsoft | DNS Debug Supported versions: Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2 | WinCollect Microsoft DNS Debug | LEEF | Yes | Yes | No |
Microsoft | IIS v6.0, 7.0 and 8.x | Syslog | HTTP status code events | Yes | No | No |
Microsoft | Internet and Acceleration (ISA) Server or Threat Management Gateway 2006 | Syslog | ISA or TMG events | Yes | No | No |
Microsoft | Exchange Server 2003, 2007, 2010, 2013, and 2016 | Windows Exchange Protocol | Outlook Web Access events (OWA) Simple Mail Transfer Protocol events (SMTP Message Tracking Protocol events (MSGTRK) | No | No | No |
Microsoft | Endpoint Protection 2012 | JDBC | Malware detection events | No | No | No |
Microsoft | Hyper V supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows Server 2008 Core Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) | WinCollect | All events | No | No | No |
Microsoft | IAS Server v2000, 2003, and 2008 | Syslog | All events | Yes | No | No |
Microsoft | Microsoft Windows Defender ATP | Windows Defender ATP REST API | Event format: JSON Event types: Windows Defender ATP Windows Defender AV Third Party TI Customer TI Bitdefender | No | No | No |
Microsoft | Microsoft Windows Event Security Log v2000, 2003, 2008, XP, Vista, and Windows 7 (32 or 64-bit systems supported) supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) | Syslog non-Syslog Microsoft Windows Event Log Protocol Source Common Event Format (CEF) format, Log Event Extended Format (LEEF) | All events, including Sysmon | Yes | Yes | Yes |
Microsoft | SQL Server 2008, 2012, and 2014 | JDBC | SQL Audit events | No | No | No |
Microsoft | SharePoint 2010 and 2013 | JDBC | SharePoint audit, site, and file events | No | No | No |
Microsoft | DHCP Server 2000/2003 | Syslog | All events | Yes | Yes | No |
Microsoft | Microsoft Office 365 | Office 365 REST API | JSON | No | No | No |
Microsoft | Operations Manager 2005 | JDBC | All events | No | No | No |
Microsoft | System Center Operations Manager 2007 | JDBC | All events | No | No | No |
Motorola | Symbol AP firmware v1.1 to 2.1 | Syslog | All events | No | No | No |
NCC Group | NCC Group DDos V5.13.1-2s to 516.1-0 | Syslog | Event format: LEEF Event types: All events | Yes | No | No |
Niara | Niara V1.6 | Syslog | Security System Internal Activity Exfiltration Exfiltration Command & Control | Yes | No | Yes |
NetApp | Data ONTAP | Syslog | CIFS events | Yes | Yes | No |
Netskope | Netskope Active | Netskope Active REST API | Alert, All events | No | Yes | No |
Niksun | NetVCR 2005 v3.x | Syslog | Niksun events | No | No | No |
Nokia | Firewall NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Nokia | VPN-1 NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Nominum | Vantio v5.3 | Syslog | All events | Yes | No | No |
Nortel | Contivity | Syslog | All events | Yes | No | No |
Nortel | Application Switch v3.2 and later | Syslog | Status and network condition events | No | Yes | No |
Nortel | ARN v15.5 | Syslog | All events | Yes | No | No |
Nortel* | Ethernet Routing Switch 2500 v4.1 | Syslog | All events | No | Yes | No |
Nortel* | Ethernet Routing Switch 4500 v5.1 | Syslog | All events | No | Yes | No |
Nortel* | Ethernet Routing Switch 5500 v5.1 | Syslog | All events | No | Yes | No |
Nortel | Ethernet Routing Switch 8300 v4.1 | Syslog | All events | No | Yes | No |
Nortel | Ethernet Routing Switch 8600 v5.0 | Syslog | All events | No | Yes | No |
Nortel | VPN Gateway v6.0, 7.0.1 and later, v8.x | Syslog | All events | Yes | Yes | No |
Nortel | Secure Router v9.3, v10.1 | Syslog | All events | Yes | Yes | No |
Nortel | Secure Network Access Switch v1.6 and v2.0 | Syslog | All events | Yes | Yes | No |
Nortel | Switched Firewall 5100 v2.4 | Syslog or OPSEC | All events | Yes | Yes | No |
Nortel | Switched Firewall 6000 v4.2 | Syslog or OPSEC | All events | Yes | Yes | No |
Nortel | Threat Protection System v4.6 and v4.7 | Syslog | All events | No | No | No |
Novell | eDirectory v2.7 | Syslog | All events | Yes | No | No |
ObserveIT | ObserveIT 5.7.x and later | JDBC | Alerts User Activity System Events Session Activity DBA Activity | No | Yes | No |
Okta | Okta Identity Management | Okta REST API | JSON | No | Yes | No |
Onapsis | Onapsis Security Platform v1.5.8 and later | Log Event Extended Format (LEEF) | Assessment Attack signature Correlation Compliance | Yes | No | No |
OpenBSD Project | OpenBSD v4.2 and later | Syslog | All events | No | Yes | No |
Open LDAP Foundation | Open LDAP 2.4.x | UDP Multiline Syslog | All events | No | No | No |
Open Source | SNORT v2.x | Syslog | All events | Yes | No | No |
OpenStack | OpenStack v2015.1 | HTTP Reciever | Audit events | No | No | No |
Oracle | Oracle DB Audit Records v9i, v10g, v11g, v12c (includes unified auditing) 136787 | Syslog JDBC | Event format: Name-Value Pair Recorded event types: Audit records | No | Yes | No |
Oracle | Audit Vault v10.2.3.2 and V12.2 | JDBC | All audit records from the AVSYS.AV$ALERT_STORE table for V10.3, or from the custom AVSYS.AV_ALERT_STORE_V view for V12.2. | No | Yes | No |
Oracle | OS Audit v9i, v10g, and v11g | Syslog | Oracle events | Yes | Yes | No |
Oracle | BEA WebLogic v10.3.x | Log File Protocol | Oracle events | No | No | No |
Oracle | Database Listener v9i, v10g, and v11g | Syslog | Oracle events | Yes | No | No |
Oracle | Directory Server (Formerly known as Sun ONE LDAP). | |||||
Oracle | Fine Grained Auditing v9i and v10g | JDBC | Select, insert, delete, or update events for tables configured with a policy | No | No | No |
OSSEC | OSSEC v2.6 and later | Syslog | All relevant | Yes | No | No |
Palo Alto Networks | Palo Alto PA Series PanOS v3.0 to v8.0 | LEEF for PAN-OS v3.0 to v8.0 CEF for PAN-OS v4.0 to v6.1 | Traffic Threat URL Filtering Data WildFire Config System HIP Match Authentication User-ID Tunnel Inspection Correlation | Yes | Yes | No |
Palo Alto Networks | Palo Alto Endpoint Security Manager V3.4.2.17401 | Syslog LEEF LEEF | Agent Config Policy Policy Threat | Yes | No | No |
Pirean | Access: One v2.2 with DB2 v9.7 | JDBC | Access management and authentication events | No | No | No |
PostFix | Mail Transfer Agent v2.6.6 and later | UDP Multiline Protocol or Syslog | Mail events | No | No | No |
ProFTPd | ProFTPd v1.2.x, v1.3.x | Syslog | All events | Yes | Yes | No |
Proofpoint | Proofpoint Enterprise Protection and Enterprise Privacy versions 7.0.2, 7.1, or 7.2 | Syslog | System, email audit, email encryption, and email security threat classification events | No | No | No |
Pulse Secure | Pulse Secure Pulse Connect Secure V8.2R5 | Syslog TLS Syslog | Event formats: Admin, Authentication, System, Network, Error Event types: All events | Yes | Yes | Yes |
Radware | AppWall v6.5.2 and V8.2 | Syslog | Event format: Vision Log Recorded event types: Administration Audit Learning Security System | Yes | No | No |
Radware | DefensePro v4.23, 5.01, 6.x and 7.x | Syslog | All events | Yes | No | No |
Raz-Lee iSecurity | AS/400 iSeries Firewall 15.7 and Audit 11.7 | Syslog | Security and audit events | Yes | Yes | No |
Redback Networks | ASE v6.1.5 | Syslog | All events | Yes | No | No |
Resolution1 | Resolution1 CyberSecurity Formerly known as AccessData InSight Resolution1 CyberSecurity. | Log file | Volatile Data, Memory Analysis Data, Memory Acquisition Data, Collection Data, Software Inventory, Process Dump Data, Threat Scan Data, Agent Remediation Data | No | No | No |
Riverbed | SteelCentral NetProfiler | JDBC | Alert events | No | No | No |
Riverbed | SteelCentral NetProfiler Audit | Log file protocol | Audit events | No | Yes | No |
RSA | Authentication Manager v6.x, v7.x, and v8.x | v6.x and v7.x use Syslog or Log File Protocol v8.x uses Syslog only | All events | No | No | No |
SafeNet | DataSecure v6.3.0 and later | Syslog | All events | Yes | No | No |
Salesforce | Security Auditing | Log File | Setup Audit Records | No | No | No |
Salesforce | Security Monitoring | Salesforce REST API Protocol | Login History Account History Case History Entitlement History Service Contract History Contract Line Item History Contract History Contact History Lead History Opportunity History Solution History | No | Yes | No |
Samhain Labs | HIDS v2.4 | Syslog JDBC | All events | Yes | No | No |
SAP | SAP Enterprise Threat Detection sp6 | SAP Enterprise Threat Detection Alert API | LEEF | No | No | No |
Seculert | Seculert v1 | Seculert Protection REST API Protocol | All malware communication events | No | No | No |
Seculert | Seculert | Seculert protection REST API Protoco | All malware communication events | No | No | No |
Sentrigo | Hedgehog v2.5.3 | Syslog | All events | Yes | No | No |
Skyhigh Networks | Skyhigh Networks Cloud Security Platform v2.4 | Syslog | Event format: Log Event Extended Format (LEEF) Recorded event types: Privilege Access, Insider Threat, Compromised Account, Access, Admin, Data, Policy, and AuditAnomaly events | Yes | No | No |
SolarWinds | Orion v2011.2 | Syslog | All events | Yes | No | No |
SonicWALL | UTM/Firewall/VPN Appliance v3.x and later | Syslog | All events | Yes | No | No |
Sophos | Astaro v8.x | Syslog | All events | Yes | No | No |
Sophos | Enterprise Console v4.5.1 and v5.1 | Sophos Enterprise Console protocol JDBC | All events | No | No | No |
Sophos | PureMessage v3.1.0.0 and later for Microsoft Exchange v5.6.0 for Linux | JDBC | Quarantined email events | No | No | No |
Sophos | Web Security Appliance v3.x | Syslog | Transaction log events | Yes | No | No |
Sourcefire | Intrusion Sensor IS 500, v2.x, 3.x, 4.x | Syslog | All events | Yes | No | No |
Sourcefire | Defense Center v4.8.0.2 to v5.2.0.4. (Now known as Cisco FireSIGHT Mangement Center) | Sourcefire Defense Center | All events | No | No | No |
Splunk | Microsoft Windows Security Event Log | Windows-based event provided by Splunk Forwarders | All events | No | Yes | No |
Squid | Web Proxy v2.5 and later | Syslog | All cache and access log events | Yes | No | No |
Startent Networks | Startent Networks | Syslog | All events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits File Activity Monitor | Syslog LEEF | File Activity Monitor Events | |||
STEALTHbits Technologies | StealthINTERCEPT | Syslog LEEF | Active Directory Audit Events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits StealthINTERCEPT Alerts | Syslog LEEF | Active Directory Alerts Events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits StealthINTERCEPT Analytics | Syslog LEEF | Active Directory Analytics Events | Yes | No | No |
Stonesoft | Management Center v5.4 | Syslog | Management Center, IPS, Firewall, and VPN Events | Yes | No | No |
Sun | Solaris v5.8, v5.9, Sun OS v5.8, v5.9 | Syslog | All events | Yes | Yes | No |
Sun | Solaris DHCP v2.8 | Syslog | All events | Yes | Yes | No |
Sun | Solaris Sendmail v2.x | Syslog Log File Protocol Proofpoint 7.5 and 8.0 Sendmail log | All events | Yes | No | No |
Sun | Solaris Basic Security Mode (BSM) v5.10 and v5.11 | Log File Protocol | All events | No | Yes | No |
Sun | ONE LDAP v11.1 (Known as Oracle Directory Server) | Log File Protocol UDP Multiline Syslog | All relevant access and LDAP events | No | No | No |
Sybase | ASE v15.0 and later | JDBC | All events | No | No | No |
Symantec | Endpoint Protection v11, v12, and v14 | Syslog | All Audit and Security Logs | Yes | No | Yes |
Symantec | SGS Appliance v3.x and later | Syslog | All events | Yes | No | Yes |
Symantec | SSC v10.1 | JDBC | All events | Yes | No | No |
Symantec | Data Loss Prevention (DLP) v8.x and later | Syslog | All events | No | No | No |
Symantec | PGP Universal Server 3.0.x | Syslog | All events | Yes | No | No |
Symark | PowerBroker 4.0 | Syslog | All events | Yes | No | No |
ThreatGRID | Malware Threat Intelligence Platform v2.0 | Log file protocol Syslog | Malware events | No | No | No |
TippingPoint | Intrusion Prevention System (IPS) v1.4.2 to v3.2.x | Syslog | All events | No | No | No |
TippingPoint | X505/X506 v2.5 and later | Syslog | All events | Yes | Yes | No |
Top Layer | IPS 5500 v4.1 and later | Syslog | All events | Yes | No | No |
Trend Micro | Control Manager v5.0 or v5.5 with hotfix 1697 or hotfix 1713 after SP1 Patch 1 | SNMPv1 SNMPv2 SNMPv3 | All events | Yes | No | No |
Trend Micro | Deep Discovery Analyzer V5.0, V5.5, V5.8 and V6.0 | LEEF | All events | Yes | No | No |
Trend Micro | Deep Discovery Email Inspector v3.0 | Log Event Extended Format (LEEF) | Detections, Virtual Analyzer Analysis logs, System events, Alert events | Yes | No | No |
Trend Micro | Deep Discovery Inspector V3.0 to V3.8, V5.0 and V5.1 | Log Event Extended Format (LEEF) | Malicious content Malicious behavior Suspicious behavior Exploit Grayware Web reputation Disruptive application Sandbox Correlation System Update | Yes | No | No |
Trend Micro | Deep Security v9.6.1532, V10.0.1962 and V10.1 | Log Event Extended Format (LEEF) | Anti-Malware Deep Security Firewall Integrity Monitor Intrusion Prevention Log Inspection System Web Reputation | Yes | No | No |
Trend Micro | InterScan VirusWall v6.0 and later | Syslog | All events | Yes | No | No |
Trend Micro | Office Scan v8.x and v10.x | SNMPv2 | All events | No | No | No |
Tripwire | Enterprise Manager v5.2 and later | Syslog | Resource additions, removal, and modification events | Yes | No | No |
Tropos Networks | Tropos Control v7.7 | Syslog | Fault management, login/logout, provision, and device image upload events | No | No | No |
Trusteer | Apex Local Event Aggregator v1304.x and later | Syslog | Malware, exploit, and data exfiltration detection events | Yes | No | No |
Universal | Syslog and SNMP | Syslog SNMP SDEE | All events | No | Yes | No |
Universal | Syslog | Syslog Log File Protocol | All events | No | Yes | No |
Universal | Authentication Server | Syslog | All events | No | Yes | No |
Universal | Firewall | Syslog | All events | No | No | No |
Vectra Networks | Vectra Networks Vectra v2.2 | Syslog Common Event Format | Host scoring, command and control, botnet activity, reconaissance, lateral movement, exfiltration | Yes | No | No |
Verdasys | Digital Guardian V6.0.x (Syslog only) Digital Guardian V6.1.1 and V7.2 (LEEF only) | Syslog LEEF | All events | Yes | No | No |
Vericept | Content 360 up to v8.0 | Syslog | All events | Yes | No | No |
VMware | VMWare AppDefense V1.0 | JSON VMWare AppDefense API protocol | All events | No | No | No |
VMware | VMware ESX or ESXi 3.5.x, 4.x, 5.x and 6.x | Syslog VMWare protocol | Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking | Yes if syslog | No | No |
VMware | vCenter v5.x | VMWare protocol | Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking | No | No | No |
VMware | vCloud Director v5.1 | vCloud Director protocol | All events | No | Yes | No |
VMWare | vShield | Syslog | All events | Yes | No | No |
Vormetric, Inc. | Vormetric Data Security | Syslog (LEEF) | Audit Alarm Warn Learn Mode System | Yes | No | No |
Watchguard | WatchGuard Fireware OS | Syslog | All events | Yes | No | No |
Websense (now known as Forcepoint) | ||||||
Zscaler | Zscaler NSS v4.1 | Syslog | Web log events | Yes | No | No |