Document toolboxDocument toolbox

Technologies supported in CEF syslog format

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
5 min read
[ 1 About CEF Syslog format ] [ 2 How does it work ] [ 3 List of technologies ] [ 4 Sending data to Devo ]

This article contains a complete list of technologies currently supported by Devo in CEF Syslog format. 

About CEF Syslog format

While we recommend sending data to Devo in Syslog format whenever possible, we have provided support for the ingestion of events received in common event format (CEF) via Syslog for some technologies. A prime example is when Arcsight is used as a log management solution and events are going to be forwarded from Arcsight directly to Devo in CEF Syslog format.

This format is comprised of a Syslog prefix containing the date/time stamp and the host, and a header that always starts with CEF -  and is followed by a series of identifying fields - all of which are required. The last component is the extension and while it's technically optional, it's generally where the real event payload resides. The extension contains data in key-value pairs. Here's a model of the format and a sample CEF Syslog packet.

How does it work

You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF Syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.

So, are we saying that you can send any data to Devo in CEF Syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display. 

Contact us

If you have data you must send to Devo in CEF Syslog format, and the source technology does not appear in the list below, contact Devo professional services so they can create a parser for the data.

HTTP Ingestions

Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method.

List of technologies

The following list of more than 100 technologies that Devo supports in CEF Syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.

Browse the technologies by vendor name or use  CTRL + F to search this page.

Technology

Data table name

Technology

Data table name

Akamai

Amazon Web Services

AnubisNetworks Cyberfeed

  • cef0.anubisnetworks.cyberfeed

  • cef0.anubisnetworks.cyberfeedRealTimeThreatIntelligence

Akamai Logger

AWN CyberSOC

  • cef0.cybersoc.incapsula

  • cef0.cybersoc.servicedesk

AWS VPC Flow Log

Barracuda Web Application Firewall

Barracuda Networks

Blue Coat Systems

Carbon Black Protection

Check Point

Check Point Application Control

Check Point dshield agent log

  • cef0.checkPoint.stormagent

Check Point Firewall

  • cef0.checkPoint.firewall1

  • cef0.checkPoint.fwm

Check Point Log Exporter

  • cef0.checkPoint.logUpdate (shown as cef0.check-point.log-update)

Check Point Security Compliance

  • cef0.checkPoint.complianceBlade

  • cef0.checkPoint.cpmiClient

Check Point Security Gateway

  • cef0.checkPoint.httpsInspection

  • cef0.checkPoint.logSystem

  • cef0.checkPoint.securityGatewayManagement

Check Point Security Management Appliances

  • cef0.checkPoint.securityManagementServer

Check Point SmartDashboard

  • cef0.checkPoint.smartdashboard

Check Point SmartDefense

  • cef0.checkPoint.smartdefense

Check Point SmartView

  • cef0.checkPoint.smartviewMonitor

  • cef0.checkPoint.smartviewTracker

  • cef0.checkPoint.system

  • cef0.checkPoint.systemMonitor

Check Point VPN Solutions

  • cef0.checkPoint.vpn1

  • cef0.checkPoint.vpn1EmbeddedConnector

  • cef0.checkPoint.vpn1Firewall1

  • cef0.checkPoint.vpn1Firewall1Smartdefense

Cisco ASA

  • cef0.cisco.asa

Cisco Email Security

  • cef0.cisco.ironport

Cisco FWSM

  • cef0.cisco.fwsm

Cisco Intrusion Detection System

  • cef0.cisco.ciscoIntrusionPreventionSystem

Cisco Meraki Access Point

Cisco NX-OS Software

  • cef0.cisco.nxOs

Cisco routers

  • cef0.cisco.ciscorouter

Cisco Secure Access Control System

  • cef0.cisco.ciscoSecureAcs

Cisco/Sourcefire FireSIGHT System Event Streamer (eStreamer)

  • cef0.sourcefire.sourcefireManagemeentConsoleEstreamer

Crowdstrike Falcon Host

  • cef0.crowdstrike.falconhost

CyberArk Enterprise Password Vault

  • cef0.cyberArk.vault

Cybereason

F5 ASM

F5 BIG-IP Application Services

  • cef0.f5.bigIp

Fireeye Email Security

  • cef0.fireeye.emps

  • cef0.fireeye.mps

Forcepoint Data Loss Prevention

  • cef0.forcepoint.forcepointDlp

Forcepoint Firewall

  • cef0.forcepoint.firewall

Forcepoint Web Security

Forescout CounterACT

  • cef0.forescout.counteract

  • cef0.forescoutTechnologies.counteract learn more

Fortinet FortiGate

Fortinet FortiNAC

IBM AS/400

  • cef0.ibm.as400

IBM Guardium

IBM Security 

Imperva Attack Analytics

Imperva SecureSphere MX Management Server

  • cef0.impervaMx.securesphere

Infoblox Network Identity Operating System

  • cef0.infoblox.nios

Ipswitch Secure File Transfer Software

  • cef0.ipswitch.sftp

Juniper Junos OS

  • cef0.juniper.junos

Juniper NetScreen Security

  • cef0.juniper.netscreenVpn

Juniper Network & Security Manager

  • cef0.juniper.nsm

Juniper ScreenOS Firewall

  • cef0.netscreen.firewallVpn

Juniper SSL VPN

  • cef0.juniper.juniperSsl

Kaspersky

  • cef0.kaspersky.kaspersky learn more

  • cef0.kasperskylab.securitycenter learn more

  • cef0.kaspersky.securityCenter learn more

  • cef0.kaspersky.securityCenterNetworkAgent learn more

  • cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition learn more

  • cef0.kaspersky.kasperskyEndpointSecurityForWindows learn more

Lumension Endpoint Management and Security

  • cef0.lumension.lumension

Malwarebytes

  • cef0.malwarebytes.malwarebytes-endpoint-protection learn more

McAfee ePolicy Orchestrator (McAfee ePO)

  • cef0.mcafee.epolicyOrchestrator

McAfee Host Intrusion Prevention

  • cef0.mcafee.hostIntrusionPrevention

McAfee Next Generation Firewall

  • cef0.mcafee.firewall

McAfee Secure Internet Gateway

  • cef0.mcafee.secureInternetGateway

Micro Focus ArcSight

  • cef0.arcsight.arcsight

  • cef0.arcsight.cpmiClient

  • cef0.arcsight.firewall

  • cef0.arcsight.firewall1

  • cef0.arcsight.logger

  • cef0.arcsight.panOs

  • cef0.arcsight.smartdashboard

  • cef0.arcsight.smartdefense

  • cef0.arcsight.smartviewTracker

  • cef0.arcsight.unityone

  • cef0.arcsight.vpn1Firewall1

Microsoft Cloud App Security

Microsoft DNS trace log

  • cef0.microsoft.dnsTraceLog

Microsoft Defender ATP (now Microsoft Defender for Endpoint).

Microsoft Exchange Server

  • cef0.microsoft.exchangeServer

Microsoft Forefront Protection

  • cef0.microsoft.forefrontProtection

Microsoft Forefront Threat Management Gateway
(formerly Microsoft ISA Server)

  • cef0.microsoft.isaServer

Microsoft IIS

  • cef0.microsoft.internetInformationServer

Microsoft Network Policy Server

  • cef0.microsoft.nps

Microsoft SQL Server

  • cef0.microsoft.sqlServer

Microsoft System Center Configuration Manager
(Forefront Endpoint Connection)

  • cef0.microsoft.sccm_fep

Microsoft system events

  • cef0.microsoft.systemOrApplicationEvent

Microsoft Windows

  • cef0.microsoft.microsoftWindows

Nagios Network Monitoring

  • cef0.nagios.nagios

Palo Alto Networks PAN-OS

Powertech SIEM Agent

  • cef0.powertech.siemAgent

Preempt Behavioral Firewall

  • cef0.preemptsecurity.pbf

Proofpoint Messaging Security Gateway

  • cef0.proofpoint.messagingSecurityGateway

Qualys

  • cef0.qualys.qualys

RSA Identity Management and Governance

  • cef0.rsa.identityManagementService

SAP - Security Audit Log

  • cef0.sap.securityAuditLog

Snort Intrusion Detection (Open source)

  • cef0.snort.snort

SonicWall

Sophos Anti-Virus

  • cef0.sophos.sophosAntiVirus

Sophos XG firewall

Stonesoft Firewall

  • cef0.stonesoft.alert

  • cef0.stonesoft.firewall

  • cef0.stonesoft.ips

  • cef0.stonesoft.stonegate

Symantec

  • cef0.symantec.symantec

Symantec Data Loss Prevention

  • cef0.symantec.dlp

Symantec Email Security

  • cef0.symantec.mailSecurityAppliance

Symantec Endpoint Protection Mobile

  • cef0.symantec.symantecEndpointProtectionMobile

Symantec ProxySG
(formerly by Blue Coat Systems)

  • cef0.bluecoat.proxyAv

  • cef0.blueCoat.proxySg

  • cef0.blueCoat.proxySgNavegacion

Trend Micro Control Manager

  • cef0.trendMicro.controlManager

  • cef0.trendMicro.deepSecurityAgent

  • cef0.trendMicro.deepSecurityManager

Trend Micro Deep Discovery Analyzer

Trend Micro TippingPoint Unity One IPS

  • cef0.trendMicro.deepDiscoveryDirector

Trend Micro XDR



Tripwire Enterprise

  • cef0.tripwire.enterprise

Unix Sendmail

  • cef0.unix.sendmail

VMware ESX

  • cef0.vmware.esx

Watchguards XTM 11.x.x.

Websense (now part of Forcepoint)

  • cef0.websense.security

Zscaler

Sending data to Devo

In order to start sending data to Devo using these tags, you must configure some parameters. Go to Policies → Common Objects → Other → Syslog Configuration and enter the following data. Click here for more info.

Configuration

Detail

Configuration

Detail

Server Name

Server Port

443

Transport

TSL

Event formart

CEF0

Private key

Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → Access Keys

Credentials

Access Keys

Certificate

Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates

Credentials

X.509 Certificates. 

Chain

Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates. 

Â