Technologies supported in CEF syslog format
This article contains a complete list of technologies currently supported by Devo in CEF syslog format.
About CEF syslog format
While we recommend sending data to Devo in syslog format whenever possible, we have provided support for the ingestion of events received in common event format (CEF) via syslog for some technologies. A prime example is when Arcsight is used as a log management solution and events are going to be forwarded from Arcsight directly to Devo in CEF syslog format. This format is comprised of a syslog prefix containing the date/time stamp and the host, and a header that always starts with CEF: and is followed by a series of identifying fields, all of which are required. The last component is the extension and while it's technically optional, it's generally where the real event payload resides. The extension contains data in key-value pairs. Here's a model of the format and a sample CEF syslog packet.
You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.
So, are we saying that you can send any data to Devo in CEF syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display.
If you have data you must send to Devo in CEF syslog format, and the source technology does not appear in the list below, contact Devo professional services so they can create a parser for the data.
Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method.
List of technologies
The following list of more than 100 technologies that Devo supports in CEF syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.
Browse the technologies by vendor name or use CTRL + F to search this page.
|Technology||Data table name|
Amazon Web Services
AWS VPC Flow Log
Barracuda Web Application Firewall
Carbon Black Protection
Check Point Application Control
Check Point dshield agent log
Check Point Firewall
|Check Point Log Exporter||cef0.checkPoint.logUpdate (shown as cef0.check-point.log-update)|
Check Point Security Compliance
Check Point Security Gateway
Check Point Security Management Appliances
Check Point SmartDashboard
Check Point SmartDefense
Check Point SmartView
Check Point VPN Solutions
Cisco Email Security
Cisco Intrusion Detection System
Cisco Meraki Access Point
Cisco NX-OS Software
Cisco Secure Access Control System
Cisco/Sourcefire FireSIGHT System Event Streamer (eStreamer)
|Crowdstrike Falcon Host||cef0.crowdstrike.falconhost|
CyberArk Enterprise Password Vault
F5 BIG-IP Application Services
Fireeye Email Security
Forcepoint Data Loss Prevention
Forcepoint Web Security
Imperva SecureSphere MX Management Server
Infoblox Network Identity Operating System
Ipswitch Secure File Transfer Software
Juniper Junos OS
Juniper NetScreen Security
Juniper Network & Security Manager
Juniper ScreenOS Firewall
Juniper SSL VPN
Lumension Endpoint Management and Security
McAfee ePolicy Orchestrator (McAfee ePO)
McAfee Host Intrusion Prevention
McAfee Next Generation Firewall
McAfee Secure Internet Gateway
Micro Focus ArcSight
|Microsoft Cloud App Security||cef0.mcas.siemAgent +info|
Microsoft DNS trace log
Microsoft Defender ATP (now Microsoft Defender for Endpoint).
Microsoft Exchange Server
Microsoft Forefront Protection
Microsoft Forefront Threat Management Gateway
Microsoft Network Policy Server
Microsoft SQL Server
Microsoft System Center Configuration Manager
Microsoft system events
Nagios Network Monitoring
Palo Alto Networks PAN-OS
|Powertech SIEM Agent||cef0.powertech.siemAgent|
Preempt Behavioral Firewall
Proofpoint Messaging Security Gateway
RSA Identity Management and Governance
SAP - Security Audit Log
Snort Intrusion Detection (Open source)
Sophos XG firewall
Symantec Data Loss Prevention
Symantec Email Security
Symantec Endpoint Protection Mobile
Trend Micro Control Manager
Trend Micro Deep Discovery Analyzer
Trend Micro TippingPoint Unity One IPS
In order to start sending data to Devo using this tag, you must configure some parameters. Go to Policies → Common Objects → Other → Syslog Configuration and enter the following data. Click here for more info.
If the customer has dedicated data nodes, it should use the endpoint provided by Devo.
Trend Micro XDR
Watchguards XTM 11.x.x.
Websense (now part of Forcepoint)