Professional Documents
Culture Documents
Unless otherwise noted, the ports listed are applicable for both UDP and TCP.
During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security
products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor
timezone to the same timezone as your security product.
• For sensors running 4.3.5, you configure port relay in the sensor CLI using the instructions below.
• For sensors running 4.3.6, you configure port relay in the System | Collection | Log Sources
page. In 4.3.6, CLI configuration is deprecated and only the Log Sources page is used.
1 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
You can also use the ingestion-port argument if you want to listen for a source on the generic TLS syslog
port instead of the default of 514. For example, for Netfilter logs sent from 10.31.2.2, you would use the
following command to relay them from 6514 to their vendor-specific parser port of 5544:
set logforwarder device-ip 10.31.2.2 parser-port 5544 ingestion-port 6514
• The show logforwarder port-ingestion command is also a useful tool for troubleshooting port relay entries.
You can see packet and byte counts for relayed traffic and determine whether traffic is reaching the sensor.
• You can remove port relay entries using unset logforwarder device-ip <IP Address>.
• The CLI warns you if you try to add an unsupported parser port. It still adds the unsupported port but lists it
in the show logforwarder port-ingestion output as inactive.
In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log
parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser
type (cef, leef).
When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the
Index for LEEF is Traffic (srcip), Syslog (otherwise). This means that the index will be Traffic if a source IP
address is detected, or Syslog if not, in that order.
Following are the firewall ports to open for generic log formats, along with other useful details.
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
C 5143 cef_device_vendor Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) We recommend you use CEF, if available
E
The following vendor records are also indexed in ML IDS / Malware, with
F the threat field being normalized from logs as indicated below:
• If cef_device_vendor: Check Point, then the threat field is
normalized from attack_information.
• If cef_device_vendor: F5, then the threat field is normalized from
attack_type
• If cef_device_vendor: SentinelOne, then the threat field is
normalized from classification
2 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
H 5200 (tcp) httpjson Syslog When you configure your log forwarding for
T the HTTP JSON parser on this port, you
T must append /httpjson at the end of the
P URL of the target sensor. Example:
J http://<sensor-ip>:5200/httpjson
S
O
N
L 5522 vendor Traffic (srcip), Syslog (otherwise) We recommend you use LEEF, if available
E
E
F
3 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
S
t
a
n msg_origin.sourc
Port Index Comments
d e
a
r
d
In the Interflow, there are also fields for msg_origin.processor.type, which is always log_forwarder for log
parsers, and msg_origin.processor.name, which stores specific components of the parser, such as the parser
name.
The index column indicates the fields that must be present (and not null) for the logged data to be entered into
the respective index. In some cases, no specific field is required, so just the index name is listed. For many
parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index.
For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the
incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining
data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in
the specified index.
4 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstport,
and proto),
Syslog
(otherwise)
5 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
(otherwise)
6 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
(HTTP JSON)
7 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
8 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
9 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
ML
IDS/Malwar
e (threat),
(device_ev
ent_catego
ry,msg,sign
ature,event
_severity),
Traffic
(srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
10 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
11 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstip,
dstport,
and proto),
Syslog
(otherwise)
12 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
and proto)
Syslog
(otherwise)
13 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
(dstip),
Syslog
(otherwise)
14 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
and proto),
Syslog
(otherwise)
15 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
16 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstip,
dstport,
and proto),
Syslog
(otherwise)
17 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstip,
dstport,
and proto),
Syslog
(otherwise)
18 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
Syslog
(otherwise)
McAfee (CEF) 5143 If Web Gateway is in the product name, ndr Traffic
dev_type is set to: mcafee_web_gateway (srcip,
srcport,
Otherwise the value is determined from the CEF dstip,
vendor field dstport,
and proto),
Syslog
(otherwise)
19 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
20 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
(otherwise)
21 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstport,
and proto),
Syslog
(otherwise)
22 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstip,
dstport,
and proto),
Syslog
(otherwise)
23 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
Mobile (srcip,
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
24 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
25 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
s,
Anti
-
Spa
m,
or
Con
tent
Filt
er it
goe
s to
ML-
IDS
/Ma
lwar
e
Ind
ex
• For
any
oth
er
log
_ty
pe,
if
srci
p
exis
ts
the
n it
goe
s to
the
Traf
fic
Ind
ex
• All
oth
er
dat
a
goe
s to
the
Sys
log
ind
ex
26 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
27 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
VMware NSX-T Data Center 5574 vmware_nsx_t endpoint (unless log type is Traffic
dfwpktlogs, then category is (srcip,
firewall)
srcport,
dstip,
dstport,
and proto),
Syslog
(otherwise)
28 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
dstport,
and proto),
Syslog
(otherwise)
29 de 30 20/12/2023, 1:03 p. m.
Log Parser Ports https://sisapcert.stellarcyber.cloud/prod-docs/Configure/Ports/Firewall-P...
Syslog
(otherwise)
Stellar Cyber version 4.3.7 © 2023 Stellar Cyber . All rights reserved.
Support | Contact Us |
30 de 30 20/12/2023, 1:03 p. m.