Technologies supported in CEF syslog format
This article contains a complete list of technologies currently supported by Devo in CEF syslog format.Â
About CEF syslog format
While we recommend sending data to Devo in syslog format whenever possible, we have provided support for the ingestion of events received in common event format (CEF) via syslog for some technologies. A prime example is when Arcsight is used as a log management solution and events are going to be forwarded from Arcsight directly to Devo in CEF syslog format. This format is comprised of a syslog prefix containing the date/time stamp and the host, and a header that always starts with CEF: and is followed by a series of identifying fields, all of which are required. The last component is the extension and while it's technically optional, it's generally where the real event payload resides. The extension contains data in key-value pairs. Here's a model of the format and a sample CEF syslog packet.
You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.
So, are we saying that you can send any data to Devo in CEF syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display.Â
If you have data you must send to Devo in CEF syslog format, and the source technology does not appear in the list below, contact Devo professional services so they can create a parser for the data.
Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method.
List of technologies
The following list of more than 100 technologies that Devo supports in CEF syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.
Browse the technologies by vendor name or use  CTRL + F to search this page.
Technology | Data table name |
---|---|
Akamai | cef0.akamai.akamai_siem +info |
Amazon Web Services | cef0.amazon.* +info |
AnubisNetworks Cyberfeed |
|
Akamai Logger | cef0.arcsight.logger +info |
AWN CyberSOC |
|
AWS VPC Flow Log | cef0.aws.vpcFlow +info |
Barracuda Web Application Firewall | cef0.barracuda.waf +info |
Barracuda Networks | cef0.barracudanetworks +info |
Blue Coat Systems | cef0.bluecoat +info |
Carbon Black Protection | cef1.carbonBlack.protection +info |
Check Point |
|
Check Point Application Control | cef0.checkPoint.applicationControl +info |
Check Point dshield agent log | cef0.checkPoint.stormagent |
Check Point Firewall |
|
Check Point Log Exporter | cef0.checkPoint.logUpdate (shown as cef0.check-point.log-update) |
Check Point Security Compliance |
|
Check Point Security Gateway |
|
Check Point Security Management Appliances | cef0.checkPoint.securityManagementServer |
Check Point SmartDashboard | cef0.checkPoint.smartdashboard |
Check Point SmartDefense | cef0.checkPoint.smartdefense |
Check Point SmartView |
|
Check Point VPN Solutions |
|
Cisco ASA | cef0.cisco.asa |
Cisco Email Security | cef0.cisco.ironport |
Cisco FWSM | cef0.cisco.fwsm |
Cisco Intrusion Detection System | cef0.cisco.ciscoIntrusionPreventionSystem |
Cisco Meraki Access Point | cef0.cisco.merakiAccessPoint +info |
Cisco NX-OS Software | cef0.cisco.nxOs |
Cisco routers | cef0.cisco.ciscorouter |
Cisco Secure Access Control System | cef0.cisco.ciscoSecureAcs |
Cisco/Sourcefire FireSIGHT System Event Streamer (eStreamer) | cef0.sourcefire.sourcefireManagementConsoleEstreamer |
Crowdstrike Falcon Host | cef0.crowdstrike.falconhost |
CyberArk Enterprise Password Vault | cef0.cyberArk.vault |
Cybereason | cef0.cybereason.* +info |
F5 ASM | cef0.f5.asm +info |
F5 BIG-IP Application Services | cef0.f5.bigIp |
Fireeye Email Security |
|
Forcepoint Data Loss Prevention | cef0.forcepoint.forcepointDlp |
Forcepoint Firewall | cef0.forcepoint.firewall |
Forcepoint Web Security | cef0.forcepoint.security +info |
Forescout CounterACT |
|
Fortinet FortiGate | |
IBM AS/400 | cef0.ibm.as400 |
IBM Guardium | cef0.ibm.guardium +info |
IBM Security | cef0.ibm.securityAccessManager +info |
Imperva Attack Analytics | cef0.impervaInc.attackAnalytics +info |
Imperva SecureSphere MX Management Server | cef0.impervaMx.securesphere |
Infoblox Network Identity Operating System | cef0.infoblox.nios |
Ipswitch Secure File Transfer Software | cef0.ipswitch.sftp |
Juniper Junos OS | cef0.juniper.junos |
Juniper NetScreen Security | cef0.juniper.netscreenVpn |
Juniper Network & Security Manager | cef0.juniper.nsm |
Juniper ScreenOS Firewall | cef0.netscreen.firewallVpn |
Juniper SSL VPN | cef0.juniper.juniperSsl |
Kaspersky | |
Lumension Endpoint Management and Security | cef0.lumension.lumension |
Malwarebytes | cef0.malwarebytes.malwarebytes-endpoint-protection +info |
McAfee ePolicy Orchestrator (McAfee ePO) | cef0.mcafee.epolicyOrchestrator |
McAfee Host Intrusion Prevention | cef0.mcafee.hostIntrusionPrevention |
McAfee Next Generation Firewall | cef0.mcafee.firewall |
McAfee Secure Internet Gateway | cef0.mcafee.secureInternetGateway |
Micro Focus ArcSight |
|
Microsoft Cloud App Security | cef0.mcas.siemAgent +info |
Microsoft DNS trace log | cef0.microsoft.dnsTraceLog |
Microsoft Defender ATP (now Microsoft Defender for Endpoint). | cef0.microsoft.windowsDefenderAtp +info |
Microsoft Exchange Server | cef0.microsoft.exchangeServer |
Microsoft Forefront Protection | cef0.microsoft.forefrontProtection |
Microsoft Forefront Threat Management Gateway | cef0.microsoft.isaServer |
Microsoft IIS | cef0.microsoft.internetInformationServer |
Microsoft Network Policy Server | cef0.microsoft.nps |
Microsoft SQL Server | cef0.microsoft.sqlServer |
Microsoft System Center Configuration Manager | cef0.microsoft.sccm_fep |
Microsoft system events | cef0.microsoft.systemOrApplicationEvent |
Microsoft Windows | cef0.microsoft.microsoftWindows |
Nagios Network Monitoring | cef0.nagios.nagios |
Palo Alto Networks PAN-OS | cef0.paloAltoNetworks.panOs |
Powertech SIEM Agent | cef0.powertech.siemAgent |
Preempt Behavioral Firewall | cef0.preemptsecurity.pbf |
Proofpoint Messaging Security Gateway | cef0.proofpoint.messagingSecurityGateway |
Qualys | cef0.qualys.qualys |
RSA Identity Management and Governance | cef0.rsa.identityManagementService |
SAP - Security Audit Log | cef0.sap.securityAuditLog |
Snort Intrusion Detection (Open source) | cef0.snort.snort |
SonicWall | cef0.sonicwall +info |
Sophos Anti-Virus | cef0.sophos.sophosAntiVirus |
Sophos XG firewall | cef0.sophos.xg +info |
Stonesoft Firewall |
|
Symantec | cef0.symantec.symantec |
Symantec Data Loss Prevention | cef0.symantec.dlp |
Symantec Email Security | cef0.symantec.mailSecurityAppliance |
Symantec Endpoint Protection Mobile | cef0.symantec.symantecEndpointProtectionMobile |
Symantec ProxySG |
|
Trend Micro Control Manager |
|
Trend Micro Deep Discovery Analyzer | cef0.trendMicro.deepDiscoveryAnalyzer +info |
Trend Micro TippingPoint Unity One IPS | cef0.trendMicro.deepDiscoveryDirector In order to start sending data to Devo using this tag, you must configure some parameters. Go to Policies → Common Objects → Other → Syslog Configuration and enter the following data. Click here for more info. Server Name:
If the customer has dedicated data nodes, it should use the endpoint provided by Devo. |
Trend Micro XDR | cef0.trendmicro.xdr +info |
Tripwire Enterprise | cef0.tripwire.enterprise |
Unix Sendmail | cef0.unix.sendmail |
VMware ESX | cef0.vmware.esx |
Watchguards XTM 11.x.x. | cef0.watchguards.xtm330 +info |
Websense (now part of Forcepoint) | cef0.websense.security |
Zscaler |