Document toolboxDocument toolbox

Technologies supported in CEF syslog format

This article contains a complete list of technologies currently supported by Devo in CEF syslog format. 

About CEF syslog format

While we recommend sending data to Devo in syslog format whenever possible, we have provided support for the ingestion of events received in common event format (CEF) via syslog for some technologies. A prime example is when Arcsight is used as a log management solution and events are going to be forwarded from Arcsight directly to Devo in CEF syslog format. This format is comprised of a syslog prefix containing the date/time stamp and the host, and a header that always starts with CEF: and is followed by a series of identifying fields, all of which are required. The last component is the extension and while it's technically optional, it's generally where the real event payload resides. The extension contains data in key-value pairs. Here's a model of the format and a sample CEF syslog packet.

You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.

So, are we saying that you can send any data to Devo in CEF syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display. 

If you have data you must send to Devo in CEF syslog format, and the source technology does not appear in the list below, contact Devo professional services so they can create a parser for the data.

Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method.

List of technologies

The following list of more than 100 technologies that Devo supports in CEF syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.

Browse the technologies by vendor name or use  CTRL + F to search this page.

Technology

Data table name

Technology

Data table name

Akamai

cef0.akamai.akamai_siem +info

Amazon Web Services

cef0.amazon.* +info

AnubisNetworks Cyberfeed

  • cef0.anubisnetworks.cyberfeed

  • cef0.anubisnetworks.cyberfeedRealTimeThreatIntelligence

Akamai Logger

cef0.arcsight.logger +info

AWN CyberSOC

  • cef0.cybersoc.incapsula

  • cef0.cybersoc.servicedesk

AWS VPC Flow Log

cef0.aws.vpcFlow +info

Barracuda Web Application Firewall

cef0.barracuda.waf +info

Barracuda Networks

cef0.barracudanetworks +info

Blue Coat Systems

cef0.bluecoat +info

Carbon Black Protection

cef1.carbonBlack.protection +info

Check Point

  • cef0.checkPoint.antiMalware +info

  • cef0.checkPoint.applicationControlAndUrlFiltering +info

  • cef0.checkPoint.compliance +info

  • cef0.checkPoint.contentAwareness +info

  • cef0.checkPoint.endpointManagement +info

  • cef0.checkPoint.fde +info

  • cef0.checkPoint.firewall +info

  • cef0.checkPoint.mepp +info

  • cef0.checkPoint.newAntiVirus +info

  • cef0.checkPoint.scheduledSystemUpdate +info

  • cef0.checkPoint.threatEmulation +info

  • cef0.checkPoint.threatExtraction +info

  • cef0.checkPoint.vpn1Firewall1AndContentAwareness +info

  • cef0.checkPoint.web_api +info

  • cef0.checkPoint.zeroPhishing +info

Check Point Application Control

cef0.checkPoint.applicationControl +info

Check Point dshield agent log

cef0.checkPoint.stormagent

Check Point Firewall

  • cef0.checkPoint.firewall1

  • cef0.checkPoint.fwm

Check Point Log Exporter

cef0.checkPoint.logUpdate (shown as cef0.check-point.log-update)

Check Point Security Compliance

  • cef0.checkPoint.complianceBlade

  • cef0.checkPoint.cpmiClient

Check Point Security Gateway

  • cef0.checkPoint.httpsInspection

  • cef0.checkPoint.logSystem

  • cef0.checkPoint.securityGatewayManagement

Check Point Security Management Appliances

cef0.checkPoint.securityManagementServer

Check Point SmartDashboard

cef0.checkPoint.smartdashboard

Check Point SmartDefense

cef0.checkPoint.smartdefense

Check Point SmartView

  • cef0.checkPoint.smartviewMonitor

  • cef0.checkPoint.smartviewTracker

  • cef0.checkPoint.system

  • cef0.checkPoint.systemMonitor

Check Point VPN Solutions

  • cef0.checkPoint.vpn1

  • cef0.checkPoint.vpn1EmbeddedConnector

  • cef0.checkPoint.vpn1Firewall1

  • cef0.checkPoint.vpn1Firewall1Smartdefense

Cisco ASA

cef0.cisco.asa

Cisco Email Security

cef0.cisco.ironport

Cisco FWSM

cef0.cisco.fwsm

Cisco Intrusion Detection System

cef0.cisco.ciscoIntrusionPreventionSystem

Cisco Meraki Access Point

cef0.cisco.merakiAccessPoint +info

Cisco NX-OS Software

cef0.cisco.nxOs

Cisco routers

cef0.cisco.ciscorouter

Cisco Secure Access Control System

cef0.cisco.ciscoSecureAcs

Cisco/Sourcefire FireSIGHT System Event Streamer (eStreamer)

cef0.sourcefire.sourcefireManagementConsoleEstreamer

Crowdstrike Falcon Host

cef0.crowdstrike.falconhost

CyberArk Enterprise Password Vault

cef0.cyberArk.vault

Cybereason

cef0.cybereason.* +info

F5 ASM

cef0.f5.asm +info

F5 BIG-IP Application Services

cef0.f5.bigIp

Fireeye Email Security

  • cef0.fireeye.emps

  • cef0.fireeye.mps

Forcepoint Data Loss Prevention

cef0.forcepoint.forcepointDlp

Forcepoint Firewall

cef0.forcepoint.firewall

Forcepoint Web Security

cef0.forcepoint.security +info

Forescout CounterACT

  • cef0.forescout.counteract

  • cef0.forescoutTechnologies.counteract +info

Fortinet FortiGate

  • cef0.fortinet.fortigate60e +info

  • cef0.fortinet.fortigate300d +info

  • cef0.fortinet.fortigate600e  +info

  • cef0.fortinet.fortigate400e +info 

  • cef0.fortinet.fortigate200e +info

IBM AS/400

cef0.ibm.as400

IBM Guardium

cef0.ibm.guardium +info

IBM Security 

cef0.ibm.securityAccessManager +info

Imperva Attack Analytics

cef0.impervaInc.attackAnalytics +info

Imperva SecureSphere MX Management Server

cef0.impervaMx.securesphere

Infoblox Network Identity Operating System

cef0.infoblox.nios

Ipswitch Secure File Transfer Software

cef0.ipswitch.sftp

Juniper Junos OS

cef0.juniper.junos

Juniper NetScreen Security

cef0.juniper.netscreenVpn

Juniper Network & Security Manager

cef0.juniper.nsm

Juniper ScreenOS Firewall

cef0.netscreen.firewallVpn

Juniper SSL VPN

cef0.juniper.juniperSsl

Kaspersky

  • cef0.kaspersky.kaspersky +info

  • cef0.kasperskylab.securitycenter +info

  • cef0.kaspersky.securityCenter +info

  • cef0.kaspersky.securityCenterNetworkAgent +info

  • cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition +info

  • cef0.kaspersky.kasperskyEndpointSecurityForWindows +info

Lumension Endpoint Management and Security

cef0.lumension.lumension

Malwarebytes

cef0.malwarebytes.malwarebytes-endpoint-protection +info

McAfee ePolicy Orchestrator (McAfee ePO)

cef0.mcafee.epolicyOrchestrator

McAfee Host Intrusion Prevention

cef0.mcafee.hostIntrusionPrevention

McAfee Next Generation Firewall

cef0.mcafee.firewall

McAfee Secure Internet Gateway

cef0.mcafee.secureInternetGateway

Micro Focus ArcSight

  • cef0.arcsight.arcsight

  • cef0.arcsight.cpmiClient

  • cef0.arcsight.firewall

  • cef0.arcsight.firewall1

  • cef0.arcsight.logger

  • cef0.arcsight.panOs

  • cef0.arcsight.smartdashboard

  • cef0.arcsight.smartdefense

  • cef0.arcsight.smartviewTracker

  • cef0.arcsight.unityone

  • cef0.arcsight.vpn1Firewall1

Microsoft Cloud App Security

cef0.mcas.siemAgent +info

Microsoft DNS trace log

cef0.microsoft.dnsTraceLog

Microsoft Defender ATP (now Microsoft Defender for Endpoint).

cef0.microsoft.windowsDefenderAtp +info

Microsoft Exchange Server

cef0.microsoft.exchangeServer

Microsoft Forefront Protection

cef0.microsoft.forefrontProtection

Microsoft Forefront Threat Management Gateway
(formerly Microsoft ISA Server)

cef0.microsoft.isaServer

Microsoft IIS

cef0.microsoft.internetInformationServer

Microsoft Network Policy Server

cef0.microsoft.nps

Microsoft SQL Server

cef0.microsoft.sqlServer

Microsoft System Center Configuration Manager
(Forefront Endpoint Connection)

cef0.microsoft.sccm_fep

Microsoft system events

cef0.microsoft.systemOrApplicationEvent

Microsoft Windows

cef0.microsoft.microsoftWindows

Nagios Network Monitoring

cef0.nagios.nagios

Palo Alto Networks PAN-OS

cef0.paloAltoNetworks.panOs

Powertech SIEM Agent

cef0.powertech.siemAgent

Preempt Behavioral Firewall

cef0.preemptsecurity.pbf

Proofpoint Messaging Security Gateway

cef0.proofpoint.messagingSecurityGateway

Qualys

cef0.qualys.qualys

RSA Identity Management and Governance

cef0.rsa.identityManagementService

SAP - Security Audit Log

cef0.sap.securityAuditLog

Snort Intrusion Detection (Open source)

cef0.snort.snort

SonicWall

cef0.sonicwall +info

Sophos Anti-Virus

cef0.sophos.sophosAntiVirus

Sophos XG firewall

cef0.sophos.xg +info

Stonesoft Firewall

  • cef0.stonesoft.alert

  • cef0.stonesoft.firewall

  • cef0.stonesoft.ips

  • cef0.stonesoft.stonegate

Symantec

cef0.symantec.symantec

Symantec Data Loss Prevention

cef0.symantec.dlp

Symantec Email Security

cef0.symantec.mailSecurityAppliance

Symantec Endpoint Protection Mobile

cef0.symantec.symantecEndpointProtectionMobile

Symantec ProxySG
(formerly by Blue Coat Systems)

  • cef0.bluecoat.proxyAv

  • cef0.blueCoat.proxySg

  • cef0.blueCoat.proxySgNavegacion

Trend Micro Control Manager

  • cef0.trendMicro.controlManager

  • cef0.trendMicro.deepSecurityAgent

  • cef0.trendMicro.deepSecurityManager

Trend Micro Deep Discovery Analyzer

cef0.trendMicro.deepDiscoveryAnalyzer +info

Trend Micro TippingPoint Unity One IPS

cef0.trendMicro.deepDiscoveryDirector

In order to start sending data to Devo using this tag, you must configure some parameters. Go to Policies → Common Objects → Other → Syslog Configuration and enter the following data. Click here for more info.

Server Name:

  • USA - us.elb.relay.logtrust.net

  • GCP (Spain) - es.elb.relay.logtrust.net

  • EU - eu.elb.relay.logtrust.net

If the customer has dedicated data nodes, it should use the endpoint provided by Devo.
Server Port - 443
Transport - TSL
Event format - CEF0
Private key - Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → Access Keys. 
Certificate - Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates. 
Chain - Enter your domain private key from the Devo app. To get it, go to Administration → Credentials → X.509 Certificates. 

Trend Micro XDR



cef0.trendmicro.xdr +info

Tripwire Enterprise

cef0.tripwire.enterprise

Unix Sendmail

cef0.unix.sendmail

VMware ESX

cef0.vmware.esx

Watchguards XTM 11.x.x.

cef0.watchguards.xtm330 +info

Websense (now part of Forcepoint)

cef0.websense.security

Zscaler

  • cef0.zscaler.nssweblog +info

  • cef0.zscaler.nssfwlog +info