NDR: Syslog Port Index
Description
Vendor-specific Log Parsers
This table includes all supported vendor-specific parsers, the required firewall port, device type, and their associated Stellar Cyber indices.
The index column indicates the fields that must be present (and not null) for the logged data to be entered into the respective index. In some cases, no specific field is required, so just the index name is listed. For many parsers, the remaining data that is not mapped to a specific index is "otherwise" mapped into the Syslog index. For example, for FortiAnalyzer logs received on port 5542, data is added to the ML IDS/Malware index if the incoming field vendor.attack_name is not null. Data is added to the Traffic index if dstip is not null. The remaining data is added to the Syslog index. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index.
| Device | Port | msg_origin.source | msg_origin.category | Index |
| Accops | 5526 | accops | vpn | Traffic (srcip), Syslog (otherwise) |
| AhnLab TrusGuard | 5558 | ahnlab_trusguard | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Alcatel Lucent Switch | 5677 | alcatel_lucent_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Aruba Switch | 5577 | aruba_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Avaya Switch | 5607 | avaya_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
| AXGATE Next Generation Firewall | 5703 | axgate_ngfw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
| Barracuda firewall | 5524 | barracuda_fw | firewall | ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
| Brocade switch (system & admin logs) | 5548 | brocade_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Calyptix UTM | 5161 | calyptix | firewall | ML IDS/Malware (ids.signature), Traffic (srcip), Syslog (otherwise) |
| Check Point - Application Control (CEF) | 5143 | fw_checkpoint | firewall | ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport,dstip,dstport, and proto), Syslog (otherwise) |
| Check Point - URL Filtering (CEF) | 5143 | fw_checkpoint | firewall | ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| CheckPoint appliance | 5174 | fw_checkpoint_appliance | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| CheckPoint firewall | 5519 | fw_checkpoint | firewall | Traffic (srcip), Syslog (otherwise) |
| CheckPoint VPN-1 & FireWall-1 (CEF) | 5143 | fw_checkpoint | firewall | ML IDS/Malware (threat, normalized from attack_information), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Cisco ASA | 5518 | fw_cisco_asa | firewall | Traffic (srcip), Syslog (otherwise) |
| Cisco Catalyst Firewall | 5702 | cisco_catalyst_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
| Cisco Firepower | 5168 | ips_fire_power | firewall | Traffic (srcip), Syslog (otherwise) |
| Cisco IKE | 5176 | ciscovpn | vpn | Syslog |
| Cisco MDS | 5563 | cisco_mds | netlogs | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Cisco Meraki | 5172 | meraki | firewall | Traffic (srcip), Syslog (otherwise) |
| Cisco routers and switches | 5158 | cisco_router_switch | netlogs | Syslog |
| Cisco VPN | 5156 | ciscovpn | vpn | Syslog |
| Dell Switch | 5578 | dell_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| DrayTek Firewall | 5593 | draytek_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| F5 BIG-IP | 5162 | f5_big_ip | firewall | ML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| F5 BIG-IP Telemetry (HTTP JSON) | 5200 (tcp only) | f5_big_ip | firewall | Syslog |
| F5 IPI | 5536 | f5_threat_intelligence | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
| F5 iRule | 5536 | f5_irule | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
| F5 L7 DDOS | 5536 | f5_l7ddos | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
| F5 Mitigation | 5536 | f5_ddos | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
| F5 Silverline | 5536 | f5_silverline | firewall | ML IDS/Malware (dev_type: /threat/), Traffic (dstip), Syslog (otherwise) |
| F5 VPN | 5187 | f5_vpn | vpn | Syslog |
| Forcepoint - Firewall (CEF) | 5143 | forcepoint_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Forcepoint -Firewall (CEF) | 5143 | forcepoint | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Fortinet FortiGate | 5517 | fw_fortigate | firewall | Traffic (action), Syslog (otherwise) |
| Fortinet Fortigate (CEF) | 5143 | fw_fortigate | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| FutureSystems WeGuardia SSL plus (SSL VPN) | 5651 | future_systems_weguardia_ssl_plus | vpn | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Hillstone | 5514 | fw_hillstone | firewall | ML IDS/Malware log_type: threat), Traffic (log_type: traffic), |
| HPE Switch | 5595 | hpe_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Juniper SRX | 5173 | fw_juniper_srx | firewall | Traffic (srcip), Syslog (otherwise) |
| Juniper SSG | 5516 | fw_juniper_ssg | firewall | Traffic (srcip), Syslog (otherwise) |
| Juniper Switch | 5591 | juniper_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Lancope - StealthWatch (LEEF) | 5522 | lancope_stealthwatch | firewall | Traffic (srcip), Syslog (otherwise) |
| Mako Networks firewall | 5547 | mako_fw | firewall | Traffic (dstip), Syslog (otherwise) |
| McAfee Firewall | 5169 | mcafee_firewall | firewall | Traffic (srcip), Syslog (otherwise) |
| MCAS SIEM Agent (CEF) | 5143 | mcas | firewall | Windows Events |
| MikroTik firewall and router | 5553 | mikrotik | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Netfilter | 5544 | netfilter | netlogs | Traffic (dstip), Syslog (otherwise) |
| NetMotion | 5641 | absolute_netmotion | vpn | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| OpenVPN | 5643 | openvpn | vpn | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Palo Alto Networks - Next Generation Firewall (LEEF) | 5522 | fw_palo_alto | firewall | Traffic (srcip), Syslog (otherwise) |
| Palo Alto Networks firewall | 5515 | fw_palo_alto | firewall | Traffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise) |
| Palo Alto Networks Firewall via Graylog | 5569 | fw_palo_alto | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| pfSense Firewall | 5543 | pfsense_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog |
| Pulse Secure | 5534 | pulse_secure | vpn | Syslog |
| Radware Alteon | 5700 | radware_alteon | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
| RuiJie Switch | 5689 | ruijie_switch | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Sangfor NGAF | 5637 | sangfor_ngaf | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| SECUI Firewall | 5561 | secui_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| SECUI MF2 Firewall | 5570 | secui_mf2 | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Secuway SSLVPN | 5652 | secuwiz_secuway_sslvpn | vpn | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| ShareTech Firewall | 5609 | sharetech_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| SonicWall - NSA 2400 (CEF) | 5143 | sonicwall_nsa | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| SonicWall Firewall | 5152 | sonicfw | firewall | ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise) |
| SonicWall VPN | 5556 | sonicwall_vpn | vpn | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Sophos firewall | 5520 | fw_sophos | firewall | Data goes to the indicated index based on the log_type: |
| Sophos Web Appliance | 5626 | sophos_web_app | websec | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Splashtop | 5698 | splashtop | asset | Traffic (srcip, srcport, dstip, dstport, and proto) Syslog (otherwise) |
| Splunk Heavy Forwarder | 5188 | splunk_forwarder | netmgmt | Syslog |
| Stormshield Net Security Firewall | 5625 | stormshield_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Symantec Endpoint Protection | 5525 | symantec_ep | endpoint | Traffic (dstip), Syslog (otherwise) |
| Symantec Firewall | 5155 | symantec | firewall | Syslog |
| Symantec Messaging Gateway | 5567 | symantec_messaging_gateway | | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Symantec DLP (CEF) | 5143 | symantec | symantec_dlp | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Synology Directory Server | 5597 | synology_directory_server | asset | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Syslog4Net | 5715 | syslog4net | log_processing | Windows Events (winlogevent), Syslog (otherwise) |
| Thales Group CipherTrust Manager | 5674 | thales_cipher_trust_manager | iam | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| ThreatLocker Zero Trust EPP | 5200 (tcp only) | threat_locker_zero_trust_epp | endpoint | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Trellix FireEye HX | 5644 | fireeye_hx | endpoint | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Trend Micro - Deep Security Agent (LEEF) | 5522 | trendmicro_dsa | endpoint | Traffic (srcip), Syslog (otherwise) |
| Trend Micro Apex Central (CEF) | 5143 | trendmicro_apex_central | endpoint | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Trend Micro Interscan Messaging | 5678 | trend_micro_interscan_messaging | saas | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Trend Micro Proxy | 5540 | trendmicro_proxy | websec | Traffic (dstip), Syslog (otherwise) |
| Trend Micro TippingPoint Intrusion Prevention System (IPS) | 5672 | trend_micro_tippingpoint_ips | idps | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Tripwire Enterprise | 5186 | tripwire | endpoint | Syslog |
| Ubiquiti | 5552 | ubiquiti | netlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Unix | 5633 | unix | unixlogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Untangle Firewall (Syslog JSON) | 5142 | json | firewall | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Varonis DatAdvantage (CEF) | 5143 | varonis_datadvantage | dlp | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Versa Networks Firewall | 5568 | versa_networks_fw | firewall | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| VMware - Carbon Black (LEEF) | 5522 | vmware_cb | endpoint | Traffic (srcip), Syslog (otherwise) |
| VMware ESXi | 5600 | vmware | unixlogs | Syslog |
| VMWare Horizon | 5687 | vmware_horizon | paas | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| VMware NSX-T Data Center | 5574 | vmware_nsx_t | endpoint (unless log type is dfwpktlogs, then category is firewall) | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| VMware UAG | 5620 | vmware_uag | iam | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| VMware Vcenter | 5615 | vmware_vcenter | itsm | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| VMWare VeloCloud SD-WAN | 5685 | vmware_velocloud_sdwan | netmgmt | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| WatchGuard - XTM (LEEF) | 5522 | watchguard_fw | firewall | Traffic (srcip), Syslog (otherwise) |
| WatchGuard firewall security appliance | 5557 | watchguard_fw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Wazuh | 5634 | wazuh_siem | endpoint | Windows Events (winlogevent) , Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Windows DNS Server | 5599 | windows_dns_server | weblogs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Windows Event NXLog | 5601 | microsoft_windows | endpoint | Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Click here to configure HostIP |
|
|
|
|
| Windows System Security | 5610 | windows_system_security | endpoint | Windows Events (winlogevent), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Wins IPS ONE-1 / Wins DDX | 5538 | winsips | idps | ML IDS/Malware (vendor.attack_name), Syslog (otherwise) |
| WINS Sniper NGFW | 5649 | wins_sniper_ngfw | firewall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Zix Mail | 5185 | zix_mail | | Traffic (srcip), Syslog (otherwise) |
| Zscaler NSSWeblog (CEF) | 5143 | zscaler | websec | Syslog |
| Zscaler ZIA Firewall | 5549 | zscaler_zia_fw | firewall | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Zscaler ZIA Web | 5550 | zscaler_zia_web | weblogs | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Zscaler ZPA | 5551 | zscaler_zpa | vpn | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
| Zyxel Firewall | 5594 | zyxel_fw | firwall | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
