Log Parser Ports

Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
Log Parser Ports

Stellar Cyber sensors require open inbound ports on your firewall in order to receive and parse logs from devices on
your network. The ports are already open by default on the sensor but you must open the appropriate ports on your
firewall. This topic lists the supported log parsers and related details. Log parsers are organized in the following
categories:
• Generic
• Vendor-specific
Also see: Firewall Requirements
 Unless otherwise noted, the ports listed are applicable for both UDP and TCP.
 During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security
products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor
timezone to the same timezone as your security product.
Choosing an Ingestion Port

Sensors listen on port 514 by default. They then analyze the logs to determine the source device. In some cases,
Stellar Cyber has specific ports to process industry standard log formats, as well as specialized parsers to process
vendor-specific logs in a more detailed manner. If you can identify a more specific port for your log type than port 514,
you:
• Speed up your data ingestion and log parsing, and increase sensor performance, because the sensor
already knows the source device
• Retain the correct log source, because logs received on port 514 have the source set to local when
forwarded to the data processor
Use the following as a guide:
• If the logs are in standard CEF, LEEF, or JSON format, forward to the data to the port specific to that
standard as listed in Generic Log Parsers.
• If the logs are in standard Syslog format use the port applicable for that vendor.
• If the logs are in a specialized format such as a Syslog and regular expression or key: value pairs or csv,
use the Vendor-specific ports.
Using the Port Relay Feature to Minimize Open Ports

It's a best practice in Stellar Cyber to send logs to their vendor-specific parsers, when available. In releases previous
to 4.3.5, this was accomplished by referring to the list of supported vendor-specific ports, pointing your log sources to
that port on the sensor IP address, and opening the port in your firewall.
This approach is still available and can be used. As an alternative, however, you can configure your sensors to
accept log traffic on the generic syslog ports of 514 (non-TLS) or 6514 (TLS) and relay that traffic to vendor-specific
ports internally based on the source traffic's IP address.
You do this differently depending on the release your sensors are running:
• For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.
• For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources
page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.
Configuring Port Relay in the CLI ( )

You configure the port relay feature for sensors running 4.3.5 using the set logforwarder device-ip command in the
sensor CLI. The procedure is as follows:
1. Find the IP address of your log source.
2. Use the Log Parser Ports topic to find the parser port for your log source.
3. Connect to the sensor CLI.
4. Use the set logforwarder device-ip command to make an entry on the sensor for your log source and the
corresponding destination port. The syntax is as follows:
set logforwarder device-ip <IP Address> parser-port <Integer> ingestion-port <514|6514
default=514>
So, for example, if you are sending Azure MFA logs from 10.33.5.5 to the sensor, you could either send
them directly to port 5528 as you did in previous releases, or you could send them to the standard syslog
port of 514 and use the following command on the sensor to relay them internally to 5528:
set logforwarder device-ip 10.33.5.5 parser-port 5528
This command tells the sensor to relay logs received on port 514 (the default, which is why it is not explicitly
specified in the command above) from 10.33.5.5 to the vendor-specific parser port of 5528 for Azure MFA.
1 de 30 20/12/2023, 1:03 p. m.
You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog
port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the
following command to relay them from 6514 to their vendor-specific parser port of 5544:
set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514
Notes on Using the Port Relay Feature

Keep in mind the following tips when using the port relay feature:
• Keep in mind that the sending log source must be on the same subnet as the receiving sensor. There must
be no proxy capable of changing the log source IP between the sending log source and the receiving
sensor.
• When you create a port relay entry, the sensor listens for both UDP and TCP traffic from the specified
source. You can see this with the show logforwarder port-ingestion command. For example:
• The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries.
You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.
• You can remove port relay entries using unset logforwarder device-ip <IP Address>.
• The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it
in the show logforwarder port-ingestion output as inactive.
Generic Log Parsers

This table includes all supported generic log parser formats, the required firewall port, device type, and the
associated Stellar Cyber index.
Use the msg_origin.source field in the Interflow to find the logs when threat hunting in the specified index.
 In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log
parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser
type (cef, leef).
When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the
Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP
address is detected, or Syslog if not, in that order.
Following are the firewall ports to open for generic log formats, along with other useful details.
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
C 5143 cef_device_vendor Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) We recommend you use CEF, if available
E
The following vendor records are also indexed in ML IDS / Malware, with
F the threat field being normalized from logs as indicated below:
• If cef_device_vendor: Check Point, then the threat field is
normalized from attack_information.
• If cef_device_vendor: F5, then the threat field is normalized from
attack_type
• If cef_device_vendor: SentinelOne, then the threat field is
normalized from classification
C 5175 cef_device_vendor Traffic (srcip), Syslog (otherwise) -

E
F
2
G 5201 generic_capture Syslog -

e
n
e
ri
c
c
a
pt
u
r
2 de 30 20/12/2023, 1:03 p. m.
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
G 514 - - Use only if you must use a log forwarder

e
n
e
ri
c
s
y
sl
o
g
H 5200 (tcp) httpjson Syslog When you configure your log forwarding for
T the HTTP JSON parser on this port, you
T must append /httpjson at the end of the
P URL of the target sensor. Example:
J http://<sensor-ip>:5200/httpjson
S
O
N
J 5142 json Syslog

S
O
N
st
r
e
a
m
J 5044 beats Syslog -

S
O
N
b
e
at
s
L 5522 vendor Traffic (srcip), Syslog (otherwise) We recommend you use LEEF, if available
E
E
F
Li 5555 linux_syslogs Syslog

n
u
x
S
y
sl
o
g
R 5140 syslog Syslog -

F
C
3
1
6
4
R 5141 syslog Syslog -

F
C
5
4
2
4
3 de 30 20/12/2023, 1:03 p. m.
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
R 5589 syslog_rfc5424 Syslog

F
C
5
4
2
4
E
n
h
a
n
c
e
d
Vendor-specific Log Parsers

This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated
Stellar Cyber indices.
The msg_origin.source column specifies the vendor's product. Use the field in the Interflow to find the logs when
threat hunting in the specified index. The msg_origin.category column specifies the overall category.
 In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log
parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser
name.
 The index column indicates the fields that must be present (and not null) for the logged data to be entered into
the respective index. In some cases, no specific field is required, so just the index name is listed. For many
parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index.
For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the
incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining
data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in
the specified index.
Device Port msg_origin.source msg_origin.category Index
(OpnSense) Zenarmor plugin 5604 sunny_valley_networks_zenarmor firewall Traffic

(srcip,
logs
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
5143 netiq_advance_auth iam Traffic

AAA - Core (CEF)
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Accops 5526 accops vpn Traffic

(srcip),
Syslog
(otherwise)
5647 ahnlab_aips idps Traffic

Ahnlab AIPS
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5657 ahnlab_ems endpoint Traffic

Ahnlab EMS
(srcip,
srcport,
dstip,
4 de 30 20/12/2023, 1:03 p. m.
dstport,
and proto),
Syslog
(otherwise)
5640 ahnlab_epp endpoint Traffic

Ahnlab EPP
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
AhnLab Policy Center 5571 ahnlab_policy_center endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
AhnLab TrusGuard 5558 ahnlab_trusguard firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
AirGap Ransomware Kill 5602 airgap_ransomware_kill_switch saas Traffic

Switch (srcip,
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
AIX 5523 aix unixlogs Traffic

(event_tim
e: time
format of
hour:minut
e:second),
Syslog
(otherwise)
Alcatel Lucent Switch 5677 alcatel_lucent_switch netlogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Aliyun / AliCloud 5545 aliyun paas ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5605 android unixlogs Traffic

Android
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Apache HTTP Server (httpd) 5663 apache_httpd weblogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
5 de 30 20/12/2023, 1:03 p. m.
(otherwise)
AQTRONiX WebKnight 5658 aqtronix_webknight waf Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Aqua Cloud Native Application 5656 aquasecurity_cnapp paas Traffic

Protection Platform (CNAPP (srcip,
srcport,
2022.4) dstip,
dstport,
and proto),
Syslog
(otherwise)
Arbor Peakflow SP 5598 arbor_peakflow_sp ndr Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Array Networks APV Series 5680 array_networks_apv netlogs Traffic

Load Balancing & App (srcip,
srcport,
Delivery
dstip,
dstport,
and proto),
Syslog
(otherwise)
Array Networks ASF 1800 5675 array_networks_asf_1800 waf Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Array Networks Secure 5537 array_sag vpn Traffic

Access Gateway (srcip),
Syslog
(otherwise)
Aruba ClearPass Policy 5143 aruba_clear_pass iam Traffic

(srcip,
Manager (CEF)
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Aruba Switch 5577 aruba_switch netlogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Automox 5183 automox patch Syslog
5681 avanan email Traffic

Avanan
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Avanan (HTTP JSON) 5200 (tcp only) avanan email Syslog
6 de 30 20/12/2023, 1:03 p. m.
5607 avaya_switch netlogs Traffic

Avaya Switch
(srcip,
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
AWS WAF 5200 (tcp only) aws_waf waf Syslog
(HTTP JSON)
Azure ATP (CEF) 5143 azure_atp iam Traffic

(srcip,
srcport,
dstip,
dstports,
and proto),
Syslog
(otherwise)
Azure MFA 5528 azure_mfa iam Traffic

(srcip),
Syslog
(otherwise)
Barracuda email 5559 barracuda_email email ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Barracuda firewall 5524 barracuda_fw firewall ML

IDS/Malwar
e
(sub_dev_t
ype:
fw_threat
or fw_av),
Traffic
(srcip),
Syslog
(otherwise)
Barracuda WAF 5524 barracuda_waf waf ML

IDS/Malwar
e
(sub_dev_t
ype:
fw_threat
or fw_av),
Traffic
(srcip),
Syslog
(otherwise)
BeyondTrust BeyondInsight 5621 beyondtrust_beyondinsight iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
BeyondTrust PasswordSafe 5692 beyondtrust_passwordsafe iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Bitdefender (HTTP JSON) 5200 (tcp only) bitdefender endpoint Traffic

(Syslog JSON) 5142 (srcip,
7 de 30 20/12/2023, 1:03 p. m.
Click here to configure log srcport,

ingestion dstip,
dstport,
and proto)
Syslog
(otherwise)
BlackBerry CylancePROTECT 5177 cylance endpoint Traffic

& CylanceOPTICS cylance_optics (srcip),
cylance_protect
Syslog
(otherwise)
BlueCoatProxySG 5576 bluecoat_proxysg websec Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Brocade switch (system & 5548 brocade_switch netlogs Traffic

admin logs) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Calyptix UTM 5161 calyptix firewall ML

IDS/Malwar
e
(ids.signatu
re), Traffic
(srcip),
Syslog
(otherwise)
5673 centos_audit unixlogs Traffic

Centos Audit
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Centrify 5165 centrify iam Syslog
5635 cerverus_ftp unixlogs Traffic

Cerberus FTP Logs
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Check Point - Application 5143 fw_checkpoint firewall ML

IDS/Malwar
Control (CEF)
e (threat,
normalized
from
attack_infor
mation),
Traffic
(srcip,
srcport,dsti
p,dstport,
and proto),
Syslog
(otherwise)
Check Point - URL Filtering 5143 fw_checkpoint firewall ML

IDS/Malwar
(CEF)
e (threat,
normalized
from
attack_infor
mation),
Traffic
(srcip,
8 de 30 20/12/2023, 1:03 p. m.
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
CheckPoint appliance 5174 fw_checkpoint_appliance firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
CheckPoint firewall 5519 fw_checkpoint firewall Traffic

(srcip),
Syslog
(otherwise)
CheckPoint Harmony EP 5618 checkpoint_harmony_ep endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
CheckPoint VPN-1 & 5143 fw_checkpoint firewall ML

FireWall-1 (CEF) IDS/Malwar
e (threat,
normalized
from
attack_infor
mation),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cisco ASA 5518 fw_cisco_asa firewall Traffic

(srcip),
Syslog
(otherwise)
Cisco CUCM 5532 cisco_cucm voip Syslog
Cisco ESA 5562 cisco_esa email ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cisco ESA 5164 (deprecated) openldap_style email Syslog
Cisco Firepower 5168 ips_fire_power firewall Traffic

(srcip),
Syslog
(otherwise)
Cisco IKE 5176 ciscovpn vpn Syslog
Cisco IronPort 5163 cisco_ironport email Syslog
Cisco ISE 5157 ciscoise asset Syslog
Cisco MDS 5563 cisco_mds netlogs ML

IDS/Malwar
e (threat),
9 de 30 20/12/2023, 1:03 p. m.
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cisco Meraki 5172 meraki firewall Traffic

(srcip),
Syslog
(otherwise)
ML
IDS/Malwar
e (threat),
(device_ev
ent_catego
ry,msg,sign
ature,event
_severity),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cisco Netflow 2055 (udp only) netflow traffic Traffic
Cisco routers and switches 5158 cisco_router_switch netlogs Syslog
Cisco UCS 5579 cisco_ucs unixlogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cisco Umbrella 5521 cisco_umbrella dnssec Syslog
Cisco VPN 5156 ciscovpn vpn Syslog
Cisco WLC 5531 cisco_wlc wireless Syslog
Citrix Access Gateway 5688 citrix_access_gateway iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Citrix NetScaler 5166 netscaler netmgmt Syslog
Citrix NetScaler (CEF) 5143 netscaler netmgmt Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
CoSoSys Endpoint Protection 5654 cososys endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Comodo- CIS CCS (CEF) 5143 comodo endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
10 de 30 20/12/2023, 1:03 p. m.
CoreLight Sensor 5575 corelight_sensor websec Traffic

(srcip,
Click here to configure log
ingestion srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cribl default (Syslog JSON) 5142 json xdr Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Cribl / NXLog 5142 microsoft endpoint Windows

(log -> NXLog ->Cribl) Events
(Syslog JSON)
CrowdStrike (beats) 5044 crowdstrike endpoint Syslog
CrowdStrike (CEF) 5143 crowdstrike endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
CyberArk PTA (CEF) 5143 cyberark Traffic

iam
(srcip,
srcport,
dstip,
ingestion
dstport,
and proto),
Syslog
(otherwise)
Cynet (CEF) 5143 cynet xdr Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
D-Link 5189 dlink Traffic

wireless
(srcip),
Syslog
(otherwise)
DBSafer 5181 dbsafer Syslog

dlp
Deep Instinct 5628 deep_instinct saas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Dell EMC Powerstore 5683 dell_powerstore storage Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Dell iDRAC 5566 dell_idrac saas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Dell Switch 5578 dell_switch netlogs Traffic

(srcip,
srcport,
11 de 30 20/12/2023, 1:03 p. m.
dstip,
dstport,
and proto),
Syslog
(otherwise)
DHCP (beats) 5044 dhcp netmgmt Traffic

(srcmac),
Syslog
(otherwise)
DHCPD (IS DHCP) 5554 dhcpd netmgmt Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5639 dnsvault_rpzdb ndr Traffic

DNSVault RPZdb
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Dragos (CEF) 5539 dragos otsec Traffic

(srcip),
Syslog
(otherwise)
DrayTek Firewall 5593 draytek_fw firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
eDictionary - eDictionary 5143 edictionary endpoint Traffic

(srcip,
(CEF) srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Egnyte (Syslog JSON) 5142 egnyte endpoint Traffic

5200 (tcp only) (srcip,
(HTTP JSON) srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5603 ericom_ztedge ndr Traffic

Ericom ZTEdge (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5655 eset_protect endpoint Traffic

ESET PROTECT
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ExtraHop (CEF) 5143 extrahop ndr Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Extreme AirDefense 5612 extreme_airdefense idps Traffic

(srcip,
srcport,
dstip,
dstport,
12 de 30 20/12/2023, 1:03 p. m.
and proto)
Syslog
(otherwise)
5666 extreme_controller wireless Traffic

Extreme Controller
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ExtremeCloud IQ Site Engine 5614 extreme_site_engine asset Traffic

(srcip,
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
F5 - ASM (CEF) 5143 f5 waf ML

IDS/Malwar
e (threat,
normalized
from
attack_type
), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
F5 BIG-IP 5162 f5_big_ip firewall ML

IDS/Malwar
e (IDS
signature),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
F5 BIG-IP Telemetry (HTTP 5200 (tcp only) f5_big_ip firewall Syslog

JSON)
F5 IPI 5536 f5_threat_intelligence firewall ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
(dstip),
Syslog
(otherwise)
F5 iRule 5536 f5_irule firewall ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
(dstip),
Syslog
(otherwise)
F5 L7 DDOS 5536 f5_l7ddos firewall ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
13 de 30 20/12/2023, 1:03 p. m.
(dstip),
Syslog
(otherwise)
F5 Mitigation 5536 f5_ddos firewall ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
(dstip),
Syslog
(otherwise)
F5 NGINX 5151 nginx weblogs Syslog
F5 Silverline 5536 f5_silverline firewall ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
(dstip),
Syslog
(otherwise)
F5 VPN 5187 f5_vpn vpn Syslog
F5 WAF 5536 f5_waf waf ML

IDS/Malwar
e
(dev_type:
/threat/),
Traffic
(dstip),
Syslog
(otherwise)
FatPipe Networks SD-WAN 5583 fatpipe_sd_wan netmgmt Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
FluentD (HTTP JSON) 5200 (tcp only) kubernetes paas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Forcepoint 5143 forcepoint_dlp dlp Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Forcepoint - Firewall (CEF) 5143 forcepoint_fw firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Forcepoint -DLP (CEF) 5143 forcepoint dlp Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Forcepoint -Firewall (CEF) 5143 forcepoint firewall Traffic

(srcip,
srcport,
dstip,
dstport,
14 de 30 20/12/2023, 1:03 p. m.
and proto),
Syslog
(otherwise)
Forcepoint Web Security 5143 forcepoint paas Traffic

(CEF) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ForeScout 5154 forescout asset Syslog
Fortinet FortiAnalyzer 5542 forti_analyzer ndr ML

IDS/Malwar
e
(vendor.att
ack_name)
, Traffic
(dstip),
Syslog
(otherwise)
Fortinet FortiAuthenticator 5671 fortinet_fortiauthenticator iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5661 fortinet_fortiedr endpoint Traffic

Fortinet FortiEDR
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Fortinet Forticloud FortiClient 5682 fortinet_forticlient_ems endpoint Traffic

EMS Cloud Endpoint (srcip,
Management Services srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Fortinet FortiGate 5517 fw_fortigate firewall Traffic

(action),
Syslog
(otherwise)
Fortinet Fortigate (CEF) 5143 fw_fortigate firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5616 forti_mail email Traffic

Fortinet FortiMail
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Fortinet FortiSandbox 5648 fortinet_fortisandbox asset Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5642 fortinet_fortiweb waf Traffic

Fortinet FortiWeb
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
15 de 30 20/12/2023, 1:03 p. m.
FutureSystems WeGuardia 5651 future_systems_weguardia_ssl_plus vpn Traffic

SSL plus (SSL VPN) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Graylog format 5569 graylog endpoint Windows

Events
(winlogeve
nt), ML
IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Guardicore (CEF) 5143 guardicore cloudsec Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5676 handreamnet_vipm netlogs Traffic

HanDreamnet VIPM
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Hewlett Packard UNIX 5585 hp-ux unixlogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Hillstone 5514 fw_hillstone firewall ML

IDS/Malwar
e
log_type: th
reat),
Traffic
(log_type:
traffic),
5595 hpe_switch netlogs Traffic

HPE Switch (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5632 ibm_i ibm_os_logs Traffic

IBM AS400
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Impero ContentKeeper 5670 impero_contentkeeper websec Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Incapsula SIEM Integration 5143 incapsula waf Traffic

(srcip,
(CEF)
srcport,
16 de 30 20/12/2023, 1:03 p. m.
dstip,
dstport,
and proto),
Syslog
(otherwise)
Imperva - SecureSphere 5143 imperva_secure_sphere ndr Traffic

(srcip,
(CEF) srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Indusface Web Application 5582 indusface_waf waf ML

Firewall IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Infoblox Data Connector 5143 infoblox ndr Traffic

(CEF) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Infoblox Network Identity OS 5587 infoblox_nios dnssec Traffic

(NIOS) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Infocyte HUNT (CEF) 5143 infocyte endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5143 ironscales_irontraps email Traffic

IronScales (CEF)
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
IPFIX 4739 (udp only) ipfix traffic Traffic

(srcip,
srcport,
dstip,
dstport,
and proto)
Jsonar Database Security Tool 5586 jsonar_db_security_tool dblogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Juniper SRX 5173 fw_juniper_srx firewall Traffic

(srcip),
Syslog
(otherwise)
Juniper SSG 5516 fw_juniper_ssg firewall Traffic

(srcip),
Syslog
(otherwise)
Juniper Switch 5591 juniper_switch netlogs Traffic

(srcip,
srcport,
17 de 30 20/12/2023, 1:03 p. m.
dstip,
dstport,
and proto),
Syslog
(otherwise)
KasperskyLab (CEF) 5143 kasperskylab endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Kemp Technologies Load 5695 kemp_technologies_load_master_lb weblogs Traffic

(srcip,
Master LB
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5653 keycloak iam Traffic

Keycloak
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Lancope - StealthWatch 5522 lancope_stealthwatch firewall Traffic

(srcip),
(LEEF) Syslog
(otherwise)
LanScope Cat 5588 lanscope_cat endpoint Syslog
5607 lepide endpoint Traffic

Lepide
(srcip,
srcport,
dstip,
dstport,
and proto)
Syslog
(otherwise)
Linux Syslog 5555 linux_syslog unixlogs ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5629 logstash_suricata ndr ML

Logstash Suricata
IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Mailboarder Agent 5580 mailboarder_agent email Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Mako Networks firewall 5547 mako_fw firewall Traffic

(dstip),
18 de 30 20/12/2023, 1:03 p. m.
Syslog
(otherwise)
ManageEngine ADAudit Plus 5679 manageengine_adaudit_plus iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ManageEngine ADAuditPlus 5143 manageengine iam Windows

(CEF) Events
McAfee (CEF) 5143 If Web Gateway is in the product name, ndr Traffic
dev_type is set to: mcafee_web_gateway (srcip,
srcport,
Otherwise the value is determined from the CEF dstip,
vendor field dstport,
and proto),
Syslog
(otherwise)
McAfee Advanced Threat 5584 mcafee_atd ndr Traffic

Defense (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
McAfee ePolicy Orchestrator 5533 mcafee_epo endpoint Traffic

(srcip),
Syslog
(otherwise)
McAfee Firewall 5169 mcafee_firewall firewall Traffic

(srcip),
Syslog
(otherwise)
McAfee Network Security 5527 mcafee_ns ipds Traffic

(srcip),
Syslog
(otherwise)
MCAS SIEM Agent (CEF) 5143 mcas firewall Windows

Events
5631 medigate iotsec Traffic

Medigate
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Menlo Security MS-XL50M 5630 menlo websec Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5636 microsoft_iis netmgmt Traffic

Microsoft IIS
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Microsoft IIS (Syslog JSON) 5142 json weblogs Syslog
Microsoft Office 365 5627 office365 office_suite Windows

Events
Microsoft Windows Event 5646 microsoft_windows_event endpoint Windows

Events
(winlogeve
nt), Syslog
(otherwise)
Microsoft Windows via 5569 microsoft_windows endpoint Windows

Graylog Events
(winlogeve
nt)
19 de 30 20/12/2023, 1:03 p. m.
5645 microworld_escan endpoint Traffic

MicroWorld eScan
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
MikroTik firewall and router 5553 mikrotik firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
MONITORAPP AI WAF 4.1 5613 monitorapp_ai_waf waf Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
MONITORAPP WAF 1.0 5535 monitor_app websec Traffic

(srcip),
Syslog
(otherwise)
5592 nasuni paas Traffic

Nasuni
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
NetApp 5608 netapp dblogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Netfilter 5544 netfilter netlogs Traffic

(dstip),
Syslog
(otherwise)
NetIQ - Identity Manager 5143 netiq_identity_manager iam Traffic

(srcip,
(CEF) srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
NetIQ Access Manager 5167 access_manager iam Syslog
NetIQ SSO 5171 netiqsso iam Syslog
Netman Smart NAC 5650 netman_smart_nac iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5641 absolute_netmotion vpn Traffic

NetMotion
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
NXLog 5601 nxlog paas Windows

(Also see Crib, above) Events
(winlogeve
nt), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
20 de 30 20/12/2023, 1:03 p. m.
(otherwise)
OneLogin 5581 one_login iam Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Open LDAP 5164 openldap_style email Syslog
(for Cisco ESA, use 5562)
5638 opencanary ndr Traffic

OpenCanary
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
OpenShift 5573 redhat_openshift paas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5643 openvpn vpn Traffic

OpenVPN
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5660 opnsense paas Traffic

OPNsense
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Oracle DB 5170 oracle dblogs Traffic

(srcip),
Syslog
(otherwise)
5664 oracle_solaris unixlogs Traffic

Oracle Solaris
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Ordr Connected Device 5622 ordr_cds endpoint Traffic

(srcip,
Security
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5686 packetfence netmgmt Traffic

PacketFence
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Palo Alto Networks - Next 5522 fw_aplo_alto firewall Traffic

Generation Firewall (LEEF) (srcip),
Syslog
(otherwise)
Palo Alto Networks - Traps 5143 palo_alto_networks_traps_agent xdr Traffic

(srcip,
Agent (CEF) srcport,
dstip,
21 de 30 20/12/2023, 1:03 p. m.
dstport,
and proto),
Syslog
(otherwise)
Palo Alto Networks firewall 5515 fw_palo_alto firewall Traffic

(type:
traffic), ML
IDS/Malwar
e (type:
threat),
Syslog
(otherwise)
Palo Alto Networks Firewall 5569 fw_palo_alto firewall Traffic

via Graylog (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Penta Security WAPPLES 5560 penta_security_wapples waf Traffic

WAF (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5665 peplink_xdr xdr Traffic

Peplink XDR
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Perception Point X-Ray 5667 perceptionpoint_xray saas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
pfSense Firewall 5543 pfsense_fw firewall Syslog
PIOLINK WEBFRONT-K 5617 piolink_webfront_k waf Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
PrintChaser 5179 printchaser Syslog

dlp
Privacy-i 5178 privacy dlp Syslog
Proofpoint 5596 proofpoint email Syslog

(5160 is deprecated)
Pulse Secure 5534 pulse_secure vpn Syslog
Radware DefensePro 5619 radware_defense_pro idps Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Rapid7 5153 rapid7 security_scan Syslog
RazLeeSecurity - Audit (CEF) 5143 ibm_raz_lee_security endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
RSA Authentication Manager 5184 rsa_auth nsa Syslog
Ruckus ZoneDirector 5662 ruckus_zone_director wireless Traffic

(srcip,
srcport,
22 de 30 20/12/2023, 1:03 p. m.
dstip,
dstport,
and proto),
Syslog
(otherwise)
5689 ruijie_switch netlogs Traffic

RuiJie Switch
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SafePC 5180 safepc cloudsec Syslog
5637 sangfor_ngaf firewall Traffic

Sangfor NGAF
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SECUI Firewall 5561 secui_fw firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SECUI MF2 Firewall 5570 secui_mf2 firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5611 secui_mfd idps Traffic

SECUI MFD
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5693 secureki_appm iam Traffic

Secureki APPM 6
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Security Strategy Research 5572 ssr_metieye Traffic

websec
(SSR) Metieye (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Secuway SSLVPN 5652 secuwiz_secuway_sslvpn vpn Traffic

(U v1.0 / M v3.0, v3.1 (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SentinelOne (CEF2) 5175 cef_device_vendor endpoint Traffic

(srcip),
Syslog
ingestion
(otherwise)
23 de 30 20/12/2023, 1:03 p. m.
SentinelOne Mgmt (CEF) 5143 sentinelone_endpoint endpoint ML

IDS/Malwar
e (threat,
normalized
from
classificatio
n), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SentinelOne Security Center 5143 sentinelone_endpoint endpoint ML

(CEF) IDS/Malwar
e (threat,
normalized
from
classificatio
n), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SentinelOne Singularity 5623 sentineone_sm endpoint Traffic
Mobile (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ServiceNow Now Platform 5668 servicenow_nowplatform paas Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5609 sharetech_fw firewall Traffic

ShareTech Firewall
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Snare Agent 5590 snare_agent paas Windows

Events
(winlogeve
nt), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Sniper IPS 5182 sniperips idps Traffic

(srcip),
Syslog
(otherwise)
SonicWall (CEF) 5143 sonicwall firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
24 de 30 20/12/2023, 1:03 p. m.
SonicWall - NSA 2400 (CEF) 5143 sonicwall_nsa firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
SonicWall Firewall 5152 sonicfw firewall ML

IDS/Malwar
e (IDS
signature),
Traffic
(srcip),
Syslog
(otherwise)
SonicWall VPN 5556 sonicwall_vpn vpn Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Sophos (CEF) 5143 sophos endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Sophos (JSON) 5530 sophos endpoint Traffic

(endpoint_t
ype:
traffic), ML
IDS/Malwar
e
(endpoint_t
ype:
threat),
Syslog
(endpoint_t
ype:
computer)
Sophos endpoint 5565 endpoint_sophos endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Sophos endpoint (beats) 5044 endpoint_sophos endpoint Traffic

(srcip),
Syslog
(otherwise)
Sophos firewall 5520 fw_sophos firewall Data goes

to the
indicated
index
based on
the
log_type:
• If
Fire
wall
,
the
n
Traf
fic
ind
ex
• If
any
one
of
IDP,
Anti
-
Viru
25 de 30 20/12/2023, 1:03 p. m.
s,
Anti
-
Spa
m,
or
Con
tent
Filt
er it
goe
s to
ML-
IDS
/Ma
lwar
e
Ind
ex
• For
any
oth
er
log
_ty
pe,
if
srci
p
exis
ts
the
n it
goe
s to
the
Traf
fic
Ind
ex
• All
oth
er
dat
a
goe
s to
the
Sys
log
ind
ex
Sophos Web Appliance 5626 sophos_web_app websec Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Splunk Heavy Forwarder 5188 splunk_forwarder netmgmt Syslog
Stormshield Net Security 5625 stormshield_fw firewall Traffic

(srcip,
Firewall
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Symantec Endpoint Protection 5525 symantec_ep endpoint Traffic

(dstip),
Syslog
(otherwise)
Symantec Firewall 5155 symantec firewall Syslog
Symantec Messaging 5567 symantec_messaging_gateway email Traffic

Gateway (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
26 de 30 20/12/2023, 1:03 p. m.
5143 symantec_dlp dlp Traffic

Symantec (CEF)
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Synology Directory Server 5597 synology_directory_server asset Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Thales Group CipherTrust 5674 thales_cipher_trust_manager iam Traffic

(srcip,
Manager
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5644 fireeye_hx endpoint Traffic

Trellix FireEye HX
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Trend Micro - Deep Security 5522 trendmicro_dsa endpoint Traffic

(srcip),
Agent (LEEF) Syslog
(otherwise)
Trend Micro Apex Central 5143 trendmicro_apex_central endpoint Traffic

(CEF) (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Trend Micro (CEF) 5143 trendmicro endpoint Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Trend Micro Interscan 5678 trend_micro_interscan_messaging saas Traffic

(srcip,
Messaging
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Trend Micro Proxy 5540 trendmicro_proxy websec Traffic

(dstip),
Syslog
(otherwise)
Trend Micro TippingPoint 5672 trend_micro_tippingpoint_ips idps Traffic

Intrusion Prevention System (srcip,
srcport,
(IPS)
dstip,
dstport,
and proto),
Syslog
(otherwise)
Tripwire Enterprise 5186 tripwire endpoint Syslog
Ubiquiti 5552 ubiquiti netlogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
27 de 30 20/12/2023, 1:03 p. m.
5633 unix unixlogs Traffic

Unix
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Untangle Firewall (Syslog 5142 json firewall ML

JSON) IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Varonis DatAdvantage (CEF) 5143 varonis_datadvantage dlp Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Versa Networks Firewall 5568 versa_networks_fw firewall ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
VMware - Carbon Black 5522 vmware_cb endpoint Traffic

(srcip),
(LEEF) Syslog
(otherwise)
VMware ESXi 5600 vmware unixlogs Syslog
5687 vmware_horizon paas Traffic

VMWare Horizon
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
VMware NSX-T Data Center 5574 vmware_nsx_t endpoint (unless log type is Traffic
dfwpktlogs, then category is (srcip,
firewall)
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5620 vmware_uag iam Traffic

VMware UAG
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5615 vmware_vcenter itsm Traffic

VMware Vcenter
(srcip,
srcport,
dstip,
28 de 30 20/12/2023, 1:03 p. m.
dstport,
and proto),
Syslog
(otherwise)
VMWare VeloCloud SD-WAN 5685 vmware_velocloud_sdwan netmgmt Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
WatchGuard - XTM (LEEF) 5522 watchguard_fw firewall Traffic

(srcip),
Syslog
(otherwise)
WatchGuard firewall security 5557 watchguard_fw firewall Traffic

appliance (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
5634 wazuh_siem endpoint Windows E

Wazuh
vents
(winlogeve
nt) , Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Windows DNS Server 5599 windows_dns_server weblogs Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Windows Event NXLog 5601 microsoft_windows endpoint Windows

Events
Click here to configure HostIP
(winlogeve
nt), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Windows System Security 5610 windows_system_security endpoint Windows

Events
(winlogeve
nt), Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Wins IPS ONE-1 / Wins DDX 5538 winsips idps ML

IDS/Malwar
e
(vendor.att
ack_name)
, Syslog
(otherwise)
WINS Sniper NGFW 5649 wins_sniper_ngfw firewall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Zix Mail 5185 zix_mail email Traffic

(srcip),
29 de 30 20/12/2023, 1:03 p. m.
Syslog
(otherwise)
Zscaler NSSWeblog (CEF) 5143 zscaler websec Syslog
Zscaler ZIA Firewall 5549 zscaler_zia_fw firewall ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Zscaler ZIA Web 5550 zscaler_zia_web weblogs ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Zscaler ZPA 5551 zscaler_zpa vpn ML

IDS/Malwar
e (threat),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Zyxel Firewall 5594 zyxel_fw firwall Traffic

(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
Stellar Cyber version 4.3.7 © 2023 Stellar Cyber . All rights reserved.
Support | Contact Us |   
30 de 30 20/12/2023, 1:03 p. m.

Log Parser Ports

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Log Parser Ports

Uploaded by

Copyright:

Available Formats

Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...

Log Parser Ports

Choosing an Ingestion Port

Using the Port Relay Feature to Minimize Open Ports

Configuring Port Relay in the CLI ( )

Notes on Using the Port Relay Feature

Generic Log Parsers

C 5175 cef_device_vendor Traffic (srcip), Syslog (otherwise) -

G 5201 generic_capture Syslog -

G 514 - - Use only if you must use a log forwarder

J 5142 json Syslog

J 5044 beats Syslog -

Li 5555 linux_syslogs Syslog

R 5140 syslog Syslog -

R 5141 syslog Syslog -

R 5589 syslog_rfc5424 Syslog

Vendor-specific Log Parsers

Device Port msg_origin.source msg_origin.category Index

(OpnSense) Zenarmor plugin 5604 sunny_valley_networks_zenarmor firewall Traffic

5143 netiq_advance_auth iam Traffic

Accops 5526 accops vpn Traffic

5647 ahnlab_aips idps Traffic

5657 ahnlab_ems endpoint Traffic

Device Port msg_origin.source msg_origin.category Index

5640 ahnlab_epp endpoint Traffic

AhnLab Policy Center 5571 ahnlab_policy_center endpoint Traffic

AhnLab TrusGuard 5558 ahnlab_trusguard firewall Traffic

AirGap Ransomware Kill 5602 airgap_ransomware_kill_switch saas Traffic

AIX 5523 aix unixlogs Traffic

Alcatel Lucent Switch 5677 alcatel_lucent_switch netlogs Traffic

Aliyun / AliCloud 5545 aliyun paas ML

5605 android unixlogs Traffic

Apache HTTP Server (httpd) 5663 apache_httpd weblogs Traffic

Device Port msg_origin.source msg_origin.category Index

AQTRONiX WebKnight 5658 aqtronix_webknight waf Traffic

Aqua Cloud Native Application 5656 aquasecurity_cnapp paas Traffic

Arbor Peakflow SP 5598 arbor_peakflow_sp ndr Traffic

Array Networks APV Series 5680 array_networks_apv netlogs Traffic

Array Networks ASF 1800 5675 array_networks_asf_1800 waf Traffic

Array Networks Secure 5537 array_sag vpn Traffic

Aruba ClearPass Policy 5143 aruba_clear_pass iam Traffic

Aruba Switch 5577 aruba_switch netlogs Traffic

Automox 5183 automox patch Syslog

5681 avanan email Traffic

Avanan (HTTP JSON) 5200 (tcp only) avanan email Syslog

Device Port msg_origin.source msg_origin.category Index

5607 avaya_switch netlogs Traffic

AWS WAF 5200 (tcp only) aws_waf waf Syslog

Azure ATP (CEF) 5143 azure_atp iam Traffic

Azure MFA 5528 azure_mfa iam Traffic

Barracuda email 5559 barracuda_email email ML

Barracuda firewall 5524 barracuda_fw firewall ML

Barracuda WAF 5524 barracuda_waf waf ML

BeyondTrust BeyondInsight 5621 beyondtrust_beyondinsight iam Traffic

BeyondTrust PasswordSafe 5692 beyondtrust_passwordsafe iam Traffic

Bitdefender (HTTP JSON) 5200 (tcp only) bitdefender endpoint Traffic

Device Port msg_origin.source msg_origin.category Index

Click here to configure log srcport,

BlackBerry CylancePROTECT 5177 cylance endpoint Traffic

BlueCoatProxySG 5576 bluecoat_proxysg websec Traffic

Brocade switch (system & 5548 brocade_switch netlogs Traffic

Calyptix UTM 5161 calyptix firewall ML

5673 centos_audit unixlogs Traffic

Centrify 5165 centrify iam Syslog