...
You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF Syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.
So, are we saying that you can send any data to Devo in CEF Syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display.
...
| Note |
|---|
HTTP Ingestions Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method. |
List of technologies
| Anchor | ||||
|---|---|---|---|---|
|
The following list of more than 100 technologies that Devo supports in CEF Syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.
| Info | ||||||
|---|---|---|---|---|---|---|
Browse the technologies by vendor name or use
|
Technology | Data table name |
|---|---|
Akamai |
|
Amazon Web Services |
|
|
AnubisNetworks Cyberfeed |
|
Akamai Logger |
|
AWN CyberSOC |
|
AWS VPC Flow Log |
|
Barracuda Web Application Firewall |
|
Barracuda Networks |
|
Blue Coat Systems |
|
Carbon Black Protection |
|
Check Point |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Check Point Application Control |
|
Check Point dshield agent log |
|
Check Point Firewall |
|
Check Point Log Exporter |
|
Check Point Security Compliance |
|
Check Point Security Gateway |
|
Check Point Security Management Appliances |
|
Check Point SmartDashboard |
|
Check Point SmartDefense |
|
Check Point SmartView |
|
Check Point VPN Solutions |
|
Cisco ASA |
|
Cisco Email Security |
|
Cisco FWSM |
|
Cisco Intrusion Detection System |
|
Cisco Meraki Access Point |
|
Cisco NX-OS Software |
|
Cisco routers |
|
Cisco Secure Access Control System |
|
Cisco/Sourcefire FireSIGHT System Event Streamer (eStreamer) |
|
| |
Crowdstrike Falcon Host |
|
CyberArk Enterprise Password Vault |
|
Cybereason |
|
F5 ASM |
|
F5 BIG-IP Application Services |
|
Fireeye Email Security |
|
Forcepoint Data Loss Prevention |
|
Forcepoint Firewall |
|
Forcepoint Web Security |
|
Forescout CounterACT |
|
Fortinet FortiGate |
|
|
|
|
|
Fortinet FortiNAC |
|
IBM AS/400 |
|
IBM Guardium |
|
IBM Security |
|
Imperva Attack Analytics |
|
Imperva SecureSphere MX Management Server |
|
Infoblox Network Identity Operating System |
|
Ipswitch Secure File Transfer Software |
|
Juniper Junos OS |
|
Juniper NetScreen Security |
|
Juniper Network & Security Manager |
|
Juniper ScreenOS Firewall |
|
Juniper SSL VPN |
|
Kaspersky |
|
|
|
|
|
|
Lumension Endpoint Management and Security |
|
Malwarebytes |
|
McAfee ePolicy Orchestrator (McAfee ePO) |
|
McAfee Host Intrusion Prevention |
|
McAfee Next Generation Firewall |
|
McAfee Secure Internet Gateway |
|
Micro Focus ArcSight |
|
Microsoft Cloud App Security |
|
Microsoft DNS trace log |
|
Microsoft Defender ATP (now Microsoft Defender for Endpoint). |
|
Microsoft Exchange Server |
|
Microsoft Forefront Protection |
|
Microsoft Forefront Threat Management Gateway |
|
Microsoft IIS |
|
Microsoft Network Policy Server |
|
Microsoft SQL Server |
|
Microsoft System Center Configuration Manager |
|
Microsoft system events |
|
Microsoft Windows |
|
Nagios Network Monitoring |
|
Palo Alto Networks PAN-OS |
|
Powertech SIEM Agent |
|
Preempt Behavioral Firewall |
|
Proofpoint Messaging Security Gateway |
|
Qualys |
|
RSA Identity Management and Governance |
|
SAP - Security Audit Log |
|
Snort Intrusion Detection (Open source) |
|
SonicWall |
|
Sophos Anti-Virus |
|
Sophos XG firewall |
|
Stonesoft Firewall |
|
Symantec |
|
Symantec Data Loss Prevention |
|
Symantec Email Security |
|
Symantec Endpoint Protection Mobile |
|
Symantec ProxySG |
|
Trend Micro Control Manager |
|
Trend Micro Deep Discovery Analyzer |
|
Trend Micro TippingPoint Unity One IPS |
|
In order to start sending data to Devo using this tag, you must configure some parameters. Go to Policies → Common Objects → Other → Syslog Configuration and enter the following data. Click here for more info.
Server Name:
USA - us.elb.relay.logtrust.net
GCP (Spain) - es.elb.relay.logtrust.net
EU - eu.elb.relay.logtrust.net
Server Port - 443
Transport - TSL
Event format - CEF0
Private key -
Trend Micro XDR |
|
Tripwire Enterprise |
|
Unix Sendmail |
|
VMware ESX |
|
Watchguards XTM 11.x.x. |
|
Websense (now part of Forcepoint) |
|
Zscaler |
|
Sending data to Devo
CEF data can be sent directly to Devo or by using a relay. To use the CEF default relay rule, send to the relay’s port 13000.
To send the data directly, configure your data source to send to the Devo event load balancer.
Configuration | Detail |
|---|---|
Server Port | 443 |
Transport | TSL |
Event formart | CEF0 |
Private key | Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → Access Keys |
Credentials | Access Keys |
Certificate |
Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates | |
Credentials | X.509 Certificates. |
Chain |
Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates. |
Trend Micro XDR
cef0.trendmicro.xdr +info
Tripwire Enterprise
cef0.tripwire.enterprise
Unix Sendmail
cef0.unix.sendmail
VMware ESX
cef0.vmware.esx
Watchguards XTM 11.x.x.
cef0.watchguards.xtm330 +info
Websense (now part of Forcepoint)
cef0.websense.security
Zscaler
cef0.zscaler.nssweblog +info