List of Devo parsers

Overview

Devo is equipped to receive, store, and parse events seamlessly and securely from a wide range of commercial data sources including operating systems, networking infrastructure devices, business applications, and more. Each data source, or supported technology, is assigned a Devo tag that must be attached to each event when it is delivered to the Devo cloud. This tag is a critical part of what makes Devo so powerful and fast as it determines how Devo will store and retrieve the events for display.

We know this as a parser; a technology that organizes raw events stored in a tag in different columns and displays them in the corresponding table. In most cases, the Devo tag assigned to a set of events correspond to the table that users will access from the Data Search area of the Devo app.

A closer look at tags and tables

Read the articles About Devo tags and Special Devo tags and data tables to learn the difference between tags and tables, and to discover some special tags and data tables you will find useful when working with Devo.

List of parsers

Check out the complete list of the Devo parsers here, classified by companies and ordered alphabetically. In the following articles, you can find the Devo parsers organized by categories.

Access point

This group includes tags that start with the level ap. These tags identify data generated by access point devices.

Company

Product / service

Data tables

Encontrados 5 zero-days en Cisco Discovery Protocol - Una al Día

Cisco Wireless LAN Controller

ap.cisco.wlc

Check more info about this parser

Antivirus

This group includes tags that start with the level av. These tags identify data generated by antivirus and protection software.

Company	Product / service	Data tables
	Mobile Threat Prevention	`av.checkpoint.mtp.audit` `av.checkpoint.mtp.event`
	F-Secure Internet Gatekeeper	`av.fsecure.igk.access`
	McAfee ePolicy Orchestrator (McAfee ePO)	`av.mcafee.epo.agent` `av.mcafee.epo.endpointsecurity` `av.mcafee.epo.virusscan` Check more info about these parsers
	SentinelOne Endpoint Protection Platform (EPP)	`av.sentinelone.events`
	Sophos AntiVirus	`av.sophos.applicationcontrol` `av.sophos.devicecontrol` `av.sophos.enterprise` `av.sophos.events` `av.sophos.tamperprotection` `av.sophos.threatinstances` `av.sophos.threats` Check more info about these parsers
	Symantec Endpoint Protection	`av.symantec.sep.mail`
	Symantec Endpoint Protection Cloud	`av.symantec.sepc.events`
	Deep Security Software	`av.trendmicro.deepsec.agent` `av.trendmicro.deepsec.console` `av.trendmicro.deepsec.manager`
	InterScan Web Security Virtual Appliance	`av.trendmicro.iwsva.event`

API

This group includes tags that start with the level api. These tags identify data generated by APIs (Application Programming Interface).

Company	Product / service	Data tables
	IBM API Connect	`api.ibm.connect.audit` `api.ibm.connect.event`

Application software

This group includes tags that start with the level app. These tags identify data generated by application software.

Company	Product / service	Data tables
	Confluence	`app.atlassian.confluence.audit`
	Jira	`app.atlassian.jira.audit`
	Slack	`app.slack.audit`

Authentication

This group includes tags that start with the level auth. These tags identify data generated by authentication services and systems.

Company	Product / service	Data tables
	Cisco Identity Services Engine	`auth.cisco.ise` Check more info about this parser
	Duo platform	`auth.duo.administrator.login` `auth.duo.administrator.events` `auth.duo.authentication.events` `auth.duo.authentication-proxy.events` `auth.duo.telephony.event` Check more info about these parsers
	Keeper Security Audit	`auth.keepersecurity.audit.events` Check more info about this parser
	Linux/Unix authorization activity	`auth.unix`
	Okta Authentication Server	`auth.okta.events` `auth.okta.system` `auth.okta.apps` `auth.okta.groups` `auth.okta.policies` `auth.okta.users`
	PingFederate	`auth.ping.federate.audit` `auth.ping.federate.server`
	SecureAuth identity platform	`auth.secureauth.events` Check more info about this parser
	SecurIdentity platform	`auth.securenvoy.admin` `auth.securenvoy.batch` `auth.securenvoy.enrol` `auth.securenvoy.radius` `auth.securenvoy.syslog` `auth.securenvoy.websms` Check more info about these parsers

Operating systems

This group includes tags that start with the level box. These tags identify data generated by operating systems.

Company	Product / service	Data tables
	macOS X	`box.macos` Check more info about this parser
	Docker container logs	`box.docker.stats`
	z/OS for IBM mainframes	`box.zos`
	IBM i	`box.as400.audit.type2` Check more info about this parser
	go-audit Linux auditing	`box.audit.unix.go-audit`
	Linux kernel firewall - iptables	`box.iptables` Check more info about this parser
	Oracle VMware (ESX) Machine System Logs This technology is also supported in CEF via syslog.^+info	`box.vmware.esx` `box.vmware.vcenter` Check more info about these parsers
	Unix-like System Logs	`box.unix` Check more info about this parser
	Windows Event Logs	`box.win` Check more info about this parser
	Windows logs via NXlog	`box.win_nxlog.application` `box.win_nxlog.group_policy` `box.win_nxlog.invalid` `box.win_nxlog.other` `box.win_nxlog.powershell` `box.win_nxlog.print` `box.win_nxlog.remote_conn` `box.win_nxlog.security` `box.win_nxlog.smb` `box.win_nxlog.sysmon` `box.win_nxlog.system` `box.win_nxlog.windows_powershell` Check more info about these parsers
	Windows logs via Snare	`box.win_snare` Check more info about this parser
	Windows log via Quest Intrust	`box.win_intrust` `box.win_intrust.application` `box.win_intrust.security` `box.win_intrust.system` `box.win_intrust.other` `box.win_intrust.invalid` Check more info about these parsers

Cloud

This group includes tags that start with the level cloud. These tags identify data generated by Cloud services.

Company	Product / service	Data tables
	AWS CloudTrail	`cloud.aws.cloudtrail.access_analyzer` `cloud.aws.cloudtrail.acm` `cloud.aws.cloudtrail.acm_pca` `cloud.aws.cloudtrail.amazonmq` `cloud.aws.cloudtrail.apigateway` `cloud.aws.cloudtrail.appmesh` `cloud.aws.cloudtrail.appstream` `cloud.aws.cloudtrail.appsync` `cloud.aws.cloudtrail.athena` `cloud.aws.cloudtrail.backup` `cloud.aws.cloudtrail.batch` `cloud.aws.cloudtrail.billingconsole` `cloud.aws.cloudtrail.budgets` `cloud.aws.cloudtrail.cloudsearch` `cloud.aws.cloudtrail.cloudshell` `cloud.aws.cloudtrail.codeartifact` `cloud.aws.cloudtrail.codebuild` `cloud.aws.cloudtrail.codecommit` `cloud.aws.cloudtrail.codedeploy` `cloud.aws.cloudtrail.codepipeline` `cloud.aws.cloudtrail.cognito_identify` `cloud.aws.cloudtrail.cognito_idp` `cloud.aws.cloudtrail.comprehend` `cloud.aws.cloudtrail.config` `cloud.aws.cloudtrail.datapipeline` `cloud.aws.cloudtrail.dax` `cloud.aws.cloudtrail.digest_logfile` `cloud.aws.cloudtrail.digest_meta` `cloud.aws.cloudtrail.directconnect` `cloud.aws.cloudtrail.dms` `cloud.aws.cloudtrail.ds` `cloud.aws.cloudtrail.ecr_public` `cloud.aws.cloudtrail.ecs` `cloud.aws.cloudtrail.elasticache` `cloud.aws.cloudtrail.elasticbeanstalk` `cloud.aws.cloudtrail.elastictranscoder` `cloud.aws.cloudtrail.es` `cloud.aws.cloudtrail.firehose` `cloud.aws.cloudtrail.fsx` `cloud.aws.cloudtrail.glacier` `cloud.aws.cloudtrail.glue` `cloud.aws.cloudtrail.guardduty` `cloud.aws.cloudtrail.identifystore` `cloud.aws.cloudtrail.kafka` `cloud.aws.cloudtrail.kinesisanalytics` `cloud.aws.cloudtrail.kinesisvideo` `cloud.aws.cloudtrail.lakeformation` `cloud.aws.cloudtrail.license_manager` `cloud.aws.cloudtrail.lightsail` `cloud.aws.cloudtrail.mediaconnect` `cloud.aws.cloudtrail.mediaconvert` `cloud.aws.cloudtrail.mediapackage` `cloud.aws.cloudtrail.mediastore` `cloud.aws.cloudtrail.mediatailor` `cloud.aws.cloudtrail.network_firewall` `cloud.aws.cloudtrail.opsworks` `cloud.aws.cloudtrail.opsworks_cm` `cloud.aws.cloudtrail.pi` `cloud.aws.cloudtrail.pricelist` `cloud.aws.cloudtrail.ram` `cloud.aws.cloudtrail.rekognition` `cloud.aws.cloudtrail.route53domains` `cloud.aws.cloudtrail.route53resolver` `cloud.aws.cloudtrail.sagemaker` `cloud.aws.cloudtrail.savingsplans` `cloud.aws.cloudtrail.schemas` `cloud.aws.cloudtrail.securityhub` `cloud.aws.cloudtrail.servicecatalog` `cloud.aws.cloudtrail.servicecatalog_appregistry` `cloud.aws.cloudtrail.servicediscovery` `cloud.aws.cloudtrail.servicesquotas` `cloud.aws.cloudtrail.shield` `cloud.aws.cloudtrail.sms` `cloud.aws.cloudtrail.soo_directory` `cloud.aws.cloudtrail.ssm` `cloud.aws.cloudtrail.states` `cloud.aws.cloudtrail.storagegateway` `cloud.aws.cloudtrail.support` `cloud.aws.cloudtrail.swf` `cloud.aws.cloudtrail.translate` `cloud.aws.cloudtrail.trustedadvisor` `cloud.aws.cloudtrail.waf` `cloud.aws.cloudtrail.waf_regional` `cloud.aws.cloudtrail.wafv2` `cloud.aws.cloudtrail.wellarchitected` `cloud.aws.cloudtrail.workspaces` `cloud.aws.cloudtrail.xray` Check more info about these parsers
	AWS CloudWatch	`cloud.aws.cloudwatch.events` Check more info about this parser
	AWS Simple Queue Service (SQS)	`cloud.aws.sqs.audit`
	AWS Web Application Firewall (WAF)	`cloud.aws.waf.logs`
	Azure Active Directory	`cloud.azure.ad.audit` `cloud.azure.ad.managed_identity_signin` `cloud.azure.ad.noninteractive_user_signin` `cloud.azure.ad.provisioning` `cloud.azure.ad.risky_users` `cloud.azure.ad.service_principal_signin` `cloud.azure.ad.signin` `cloud.azure.ad.user_risk_events` Check more info about these parsers
	Azure Activity log	`cloud.azure.activity.events` Check more info about these parsers
	Azure App Service	`cloud.azure.appservice.administrative` `cloud.azure.appservice.policy` Check more info about these parsers
	Azure Application Gateway	`cloud.azure.appgetaway.access_log` `cloud.azure.appgetaway.administrative` `cloud.azure.appgetaway.firewall_log` `cloud.azure.appgetaway.policy` Check more info about these parsers
	Azure Container Registry	`cloud.azure.contregistry.login` Check more info about these parsers
	Azure Data Factory	`cloud.azure.datafactory.administrative` Check more info about these parsers
	Azure Database for PostgreSQL	`cloud.azure.postgresql.events` Check more info about these parsers
	Azure Diagnostics extension	`cloud.azure.wad.waddirectories` `cloud.azure.wad.wadperformancecounters` `cloud.azure.wad.wadwindowseventlogs` Check more info about these parsers
	Azure Event Hub	`cloud.azure.eh.events` `cloud.azure.eh.metrics` Check more info about these parsers
	Azure Firewall	`cloud.azure.firewall.application_rule` `cloud.azure.firewall.network_rule` `cloud.azure.firewall.dns_proxy` Check more info about these parsers
	Azure Front Door	`cloud.azure.frontdoor.access` `cloud.azure.frontdoor.waf` Check more info about these parsers
	Azure Host Pool	`cloud.azure.hostpools` `cloud.azure.hostpools.agenthealthstatus` `cloud.azure.hostpools.checkpoint` `cloud.azure.hostpools.connection` `cloud.azure.hostpools.error` `cloud.azure.hostpools.management` Check more info about these parsers
	Azure Key Vault	`cloud.azure.keyvault.administrative` `cloud.azure.keyvault.audit` `cloud.azure.keyvault.policy` Check more info about these parsers
	Azure Kubernetes Service	`cloud.azure.aks.cluster_autoscaler` `cloud.azure.aks.guard` `cloud.azure.aks.kube_apiserver` `cloud.azure.aks.kube_audit` `cloud.azure.aks.kube_audit_admin` `cloud.azure.aks.kube_controller_manager` `cloud.azure.aks.kube_scheduler` Check more info about these parsers
	Azure Monitor	`cloud.azure.monitor.alert` `cloud.azure.monitor.audit` Check more info about these parsers
	Azure Monitor Metrics	`cloud.azure.metrics.metricsBlobLog` `cloud.azure.metrics.metricsCapacityBlob` `cloud.azure.metrics.metricsTableLog` `cloud.azure.metrics.metricsTransactionsBlob` `cloud.azure.metrics.metricsTransactionsQueue` `cloud.azure.metrics.metricsTransactionsTable` Check more info about these parsers
	Azure Monitor Metrics: other metrics	`cloud.azure.others.administrative` `cloud.azure.others.autoscale` `cloud.azure.others.events` `cloud.azure.others.policy` `cloud.azure.others.recommendation` `cloud.azure.others.resourcehealth` Check more info about these parsers
	Azure Network Security	`cloud.azure.sec.nsg` `cloud.azure.sec.rms` Check more info about these parsers
	Azure Security Center	`cloud.azure.securitycenter.security` Check more info about these parsers
	Azure Site Recovery	`cloud.azure.siterecovery.addon_backup_jobs` `cloud.azure.siterecovery.addon_backup_policy` `cloud.azure.siterecovery.addon_backup_protected_inst` `cloud.azure.siterecovery.addon_backup_storage` `cloud.azure.siterecovery.backup_report` `cloud.azure.siterecovery.core_backup` `cloud.azure.siterecovery.net_sec_group_event` `cloud.azure.siterecovery.net_sec_group_rule_counter` `cloud.azure.siterecovery.site_rec_recovery_points` `cloud.azure.siterecovery.site_rec_rep_stats` `cloud.azure.siterecovery.site_rec_replicated_items` Check more info about these parsers
	Azure SQL Database	`cloud.azure.sql.automatic_tuning` `cloud.azure.sql.resourceusagestats` `cloud.azure.sql.securityauditevents` `cloud.azure.sql.query_store_runtime` Check more info about these parsers
	Azure Storage Server	`cloud.azure.storage.administrative` Check more info about these parsers
	Azure Virtual Machines	`cloud.azure.vm.administrative` `cloud.azure.vm.metrics_simple` `cloud.azure.vm.policy` `cloud.azure.vm.resourcehealth` Check more info about these parsers
	Azure Virtual Machine Scale Sets	`cloud.azure.vmscalesets.administrative` `cloud.azure.vmscalesets.autoscale` `cloud.azure.vmscalesets.policy` `cloud.azure.vmscalesets.resourcehealth` Check more info about these parsers
	Box cloud content management	`cloud.box.events` Check more info about these parsers
	Cloudflare	`cloud.cloudflare.logpush.<eventType>` `cloud.cloudflare.logpush.http`
	Cloud Foundry application	`cloud.cloud_foundry.application` `cloud.cloud_foundry.uaa` `cloud.cloud_foundry.credhub` `cloud.cloud_foundry.bosh` Check more info about these parsers
	Google Cloud	`cloud.gcp.scc.event_threat` Check more info about these parsers
	Netskope cloud	`cloud.netskope.events`
	Microsoft Office 365 (hosted on Azure)	`cloud.office365.exchange` `cloud.office365.management` Check more info about these parsers
	Microsoft Office 365 Business event and alert logs	`cloud.office365.siem_agent_event` `cloud.office365.siem_agent_alert` Check more info about these parsers
	Rubrik cloud data management	`cloud.rubrik.events`
	VMware Tanzu Operations Manager	`cloud.vmware_tanmzu.opsmanager.audit` Check more info about these parsers

Cloud Access Security Broker

This group includes tags that start with the level casb. These tags identify data generated by Cloud Access Security Broker (CASB) systems.

Company

Product / service

Data tables

Netskope CASB (Cloud Access Security Broker)

casb.netskope.alert
casb.netskope.application
casb.netskope.audit
casb.netskope.client
casb.netskope.infrastructure
casb.netskope.network
casb.netskope.page

Check more info about these parsers

Content Delivery Network

This group includes tags that start with the level cdn. These tags identify data generated by Content Delivery Networks (CDN).

Company

Product / service

Data tables

Akamai CDN

cdn.akamai.access
cdn.akamai.audit
cdn.akamai.audit-extended
cdn.akamai.cloudmonitor

Check more info about these parsers

Triton CDN

cdn.triton.access

Content Management Systems

This group includes tags that start with the level cms. These tags identify data generated by Content Management Systems (CMS).

Company	Product / service	Data tables
	WordPress software	`cms.wordpress.stdout`

Customer Relationship Management

This group includes tags that start with the level crm. These tags identify data generated by Customer Relationship Management (CRM) solutions.

Company	Product / service	Data tables
	Salesforce logs	`crm.salesforce.admin` `crm.salesforce.apexcallout` `crm.salesforce.apexexecution` `crm.salesforce.apexsoap` `crm.salesforce.apextrigger` `crm.salesforce.apexunexpectedexception` `crm.salesforce.api` `crm.salesforce.asyncreportrun` `crm.salesforce.audit` `crm.salesforce.contenttransfer` `crm.salesforce.documentattachmentdownloads` `crm.salesforce.login` `crm.salesforce.logout` `crm.salesforce.metadataapioperation` `crm.salesforce.queuedexecution` `crm.salesforce.report` `crm.salesforce.reportexport` `crm.salesforce.restapi` `crm.salesforce.search` `crm.salesforce.searchclick` `crm.salesforce.timebasedworkflow` `crm.salesforce.uri` `crm.salesforce.visualforcerequest`

Database

This group includes tags that start with the level db. These tags identify data generated by databases.

Company	Product / service	Data tables
	IBM Db2 Database	`db.db2.audit` Check more info about these parsers
	Microsoft SQL Server	`db.mssql.audit` `db.mssql.error`
	MongoDB	`db.mongodb.out` Check more info about these parsers
	MySQL Server	`db.mysql.error` `db.mysql.out` `db.mysql.slow` Check more info about these parsers
	Netezza Performance Server	`db.netezza.out` Check more info about these parsers
	Oracle database	`db.oracle.audit_trail` Check more info about these parsers
	PostgreSQL	`db.postgresql.out`
	Teradata	`db.teradata.out`

Data Loss Prevention

This group includes tags that start with the level dlp. These tags identify data generated by Data Loss Prevention (DLP) systems.

Company	Product / service	Data tables
	Digital Guardian Endpoint DLP	`dlp.digitalguardian.endpointdlp.alerts` `dlp.digitalguardian.endpointdlp.audit` `dlp.digitalguardian.endpointdlp.classification`
	Digital Guardian Network DLP	`dlp.digitalguardian.networkdlp`

Data Security Platform

This group includes tags that start with the level dsp. These tags identify data generated by Data Security Platforms (DSP).

Company

Product / service

Data tables

Accellion Secure File Sharing

dsp.accellion.sft.events

Check more info about these parsers

Vormetric Data Security Platform

dsp.vormetric.dsm.events

Check more info about these parsers

Directory services

This group includes tags that start with the level directory. These tags identify data generated by directory services.

Company

Product / service

Data tables

Microsoft Active Directory

directory.msad.health
directory.msad.netlogon
directory.msad.siteinfo
directory.msad.snapshot
directory.msad.update

Oracle Unified Directory

directory.oracle.sun_one.ldap_access

Check more info about these parsers

Distributed-Denial-of-Service

This group includes tags that start with the level ddos. These tags identify data generated by DDoS (Distributed-Denial-of-Service) protection systems.

Company	Product / service	Data tables
	Arbor DDoS Attack Protection Solutions	`ddos.arbor.peakflow.dos` `ddos.arbor.peakflow.sp` `ddos.arbor.pravail.aps`
	Huawei DDoS Protection Systems	`ddos.huawei.antiddos` `ddos.huawei.antiddos.sec`

Domain Name Systems

This group includes tags that start with the level dns. These tags identify data generated by Domain Name Systems (DNS).

Company	Product / service	Data tables
	BIND Name Server	`dns.bind.info` `dns.bind.query` Check more info about these parsers
	Bluecat DNS	`dns.bluecat.named` Check more info about these parsers
	Infoblox DNS	`dns.infoblox.response`
	Microsoft Windows DNS	`dns.windows` Check more info about these parsers

Dynamic Host Configuration Protocol

This group includes tags that start with the level dhcp. These tags identify data generated by Dynamic Host Configuration Protocol (DHCP) services.

Company	Product / service	Data tables
	Bluecat DHCP server	`dhcp.bluecat.dhcpd`
	Infoblox DHCP server	`dhcp.infoblox.stdout`
	Microsoft DHCP server	`dhcp.microsoft.ip4` `dhcp.microsoft.ip6`
	Unix DHCP server	`dhcp.unix.stdout`

Endpoint Detection and Response

This group includes tags that start with the level edr. These tags identify data generated by Endpoint Detection and Response (EDR) systems.

Company	Product / service	Valid tags
	Carbon Black Endpoint Detection and Response	`edr.carbonblack.alert` `edr.carbonblack.binary` `edr.carbonblack.feed` `edr.carbonblack.ingress` `edr.carbonblack.watchlist`
	Crowdstrike Endpoint Detection & Response	`edr.crowdstrike.cannon` `edr.crowdstrike.cannon.asepvalueupdate` `edr.crowdstrike.cannon.channelversionrequired` `edr.crowdstrike.cannon.dnsrequest` `edr.crowdstrike.cannon.endofprocess` `edr.crowdstrike.cannon.neighborlistip4` `edr.crowdstrike.cannon.networkconnectip4` `edr.crowdstrike.cannon.other` `edr.crowdstrike.cannon.processrollup2` `edr.crowdstrike.cannon.processrollup2stats` `edr.crowdstrike.cannon.sensorheartbeat` `edr.crowdstrike.cannon.syntheticprocessrollup2`
	Cylance PROTECT	`edr.cylance.app` `edr.cylance.audit` `edr.cylance.device` `edr.cylance.memory` `edr.cylance.script` `edr.cylance.threats`
	Fireeye Endpoint Detection & Response	`edr.fireeye.alerts`
	Minerva Labs anti-evasion platform	`edr.minervalabs`
	ObserveIT Insider Threat Detection	`edr.observeit.events`
	Palo Alto Cortex XDR	`edr.paloalto.cortex_xdr` `edr.paloalto.cortex_xdr_agent`
	Symantec Endpoint Detection & Response	`edr.symantec.events`

Endpoint protection

This group includes tags that start with the level endpoint. These tags identify data generated by endpoint-related systems.

Company	Product / service	Valid tags
	Symantec Endpoint Protection Manager	`endpoint.symantec.sepm.agent_behavior` `endpoint.symantec.sepm.agent_risk` `endpoint.symantec.sepm.agent_scan` `endpoint.symantec.sepm.agent_security` `endpoint.symantec.sepm.agent_system` `endpoint.symantec.sepm.others`

Enterprise Resource Planning

This group includes tags that start with the level erp. These tags identify data generated by Enterprise Resource Planning (ERP) systems.

Company

Product / service

Valid tags

PeopleSoft software

erp.peoplesoft.info

Firewall systems

This group includes tags that start with the level firewall. These tags identify data generated by firewall services.

Company	Product / service	Valid tags
	Barracuda firewall	`firewall.barracuda.audit`
	Check Point Firewall	`firewall.checkpoint.fw`
	Check Point GAiA	`firewall.checkpoint.gaia`
	Check Point OPSEC LEA	`firewall.checkpoint.lea`
	Check Point Log Exporter	`firewall.checkpoint.log_exporter`
	Cisco ASA This technology is also supported in CEF via syslog.	`firewall.cisco.asa`
	Cisco Firepower Management Center	`firewall.cisco.fmc`
	Cisco Firepower Threat Defense	`firewall.cisco.ftd`
	Cisco Firewall Services Module This technology is also supported in CEF via syslog.	`firewall.cisco.fwsm`
	Cisco PIX	`firewall.cisco.pix`
	Fortinet FortiGate (FortiOS Traffic, Security, and Event logs) This technology is also supported in CEF via syslog.	`firewall.fortinet.anomaly.anomaly` `firewall.fortinet.event.admin` `firewall.fortinet.event.config` `firewall.fortinet.event.dhcp` `firewall.fortinet.event.dns` `firewall.fortinet.event.ha` `firewall.fortinet.event.his-performance` `firewall.fortinet.event.ipsec` `firewall.fortinet.event.pattern` `firewall.fortinet.event.perf.historical` `firewall.fortinet.event.sslvpn-session` `firewall.fortinet.event.sslvpn-user` `firewall.fortinet.event.system` `firewall.fortinet.event.user` `firewall.fortinet.event.vpn` `firewall.fortinet.event.wireless` `firewall.fortinet.ips.anomaly` `firewall.fortinet.traffic.forward` `firewall.fortinet.traffic.local` `firewall.fortinet.traffic.multicast` `firewall.fortinet.traffic.other` `firewall.fortinet.traffic.violation` `firewall.fortinet.utm.app-ctrl` `firewall.fortinet.utm.emailfilter` `firewall.fortinet.utm.ips` `firewall.fortinet.utm.virus` `firewall.fortinet.utm.webfilter`
	Huawei firewall	`firewall.huawei.ngfw.aaa` `firewall.huawei.ngfw.cm` `firewall.huawei.ngfw.fw-log` `firewall.huawei.ngfw.ifnet` `firewall.huawei.ngfw.ifpdt` `firewall.huawei.ngfw.info` `firewall.huawei.ngfw.module` `firewall.huawei.ngfw.mstp` `firewall.huawei.ngfw.ntp` `firewall.huawei.ngfw.sec` `firewall.huawei.ngfw.shell` `firewall.huawei.ngfw.spr` `firewall.huawei.ngfw.ssh`
	Juniper Integrated Services Gateway	`firewall.juniper.isg.system` `firewall.juniper.isg.traffic` `firewall.juniper.srx.idp` `firewall.juniper.srx.probe` `firewall.juniper.srx.system` `firewall.juniper.srx.traffic` `firewall.juniper.srx.utm` `firewall.juniper.ssg.system` `firewall.juniper.ssg.traffic`
	Juniper Network & Security Manager This technology is also supported in CEF via syslog.	`firewall.juniper.nsm.traffic`
	Juniper SRX-series Firewalls	`firewall.juniper.srx.idp` `firewall.juniper.srx.probe` `firewall.juniper.srx.system` `firewall.juniper.srx.traffic` `firewall.juniper.srx.utm`
	Juniper Secure Services Gateway	`firewall.juniper.ssg.system` `firewall.juniper.ssg.traffic`
	Cisco Meraki Firewall	`firewall.meraki.events` `firewall.meraki.flows` `firewall.meraki.idsAlerts` `firewall.meraki.urls`
	Linux kernel firewall - iptables	`firewall.iptables.std`
	Microsoft Windows Firewall	`firewall.windows.stdout`
	Palo Alto Networks Firewall	`firewall.paloalto.config` `firewall.paloalto.system` `firewall.paloalto.threat` `firewall.paloalto.traffic` `firewall.paloalto.correlation` `firewall.paloalto.hipmatch` `firewall.paloalto.url` `firewall.paloalto.userid`
	pfSense Firewall	`firewall.pfsense.everything` `firewall.pfsense.filterlog` `firewall.pfsense.firewall` `firewall.pfsense.system`
	SonicWall Firewall (SonicOS)	`firewall.sonicwall.general` `firewall.sonicwall.genv58`
	Sophos UTM Sophos XG Firewall	`firewall.sophos.general.system` `firewall.sophos.securemail.smtp` `firewall.sophos.securenet.ips` `firewall.sophos.securenet.packetfilter` `firewall.sophos.securenet.vpn` `firewall.sophos.secureweb.eplog` `firewall.sophos.secureweb.http` `firewall.sophos.system.auth` `firewall.sophos.system.confd` `firewall.sophos.system.eplog` `firewall.sophos.system.epsecd` `firewall.sophos.system.ha` `firewall.sophos.system.loadbalancing` `firewall.sophos.system.red` `firewall.sophos.system.up2date` `firewall.sophos.system.wifi` `firewall.sophos.xgfirewall.contentfiltering` `firewall.sophos.xgfirewall.fw` `firewall.sophos.xgfirewall.general` `firewall.sophos.xgfirewall.wirelessprotection` `firewall.sophos.xgfirewall.contentfiltering` `firewall.sophos.xgfirewall.fw` `firewall.sophos.xgfirewall.general` `firewall.sophos.xgfirewall.wirelessprotection`
	StoneGate Firewall - Forcepoint NGFW	`firewall.stonegate.ips` `firewall.stonegate.leef` `firewall.stonegate.xml`
	WatchGuard Security	`firewall.watchguard.traffic`

File Transfer Protocol

This group includes tags that start with the level ftp. These tags identify data generated by File Transfer Protocol (FTP) systems

Company	Product / service	Valid tags
	Microsoft Internet Information Services (IIS) FTP Services	`ftp.iis.access-w3c-all`

Gateway

This group includes tags that start with the level gateway. These tags identify data generated by secure access application systems

Company	Product / service	Valid tags
	Okta Access Gateway	`gateway.okta.oag.access` `gateway.okta.oag.audit` `gateway.okta.oag.monitor`

Identity and Access Management

This group includes tags that start with the level iam. These tags identify data generated by Identity and Access Management (IAM) systems.

Company	Product / service	Valid tags
	CyberArk Enterprise Password Vault This technology is also supported in CEF via syslog.	`iam.cyberark.vault`
	Hitachi ID Password Manager	`iam.hitachi.password.events`
	Sailpoint Identity & Access Management	`iam.sailpoint.events`

Infrastructure

This group includes tags that start with the level infra. These tags identify data generated by Infrastructure as code (IaC) systems.

Company	Product / service	Valid tags
	Terraform	`infra.terraform.app.archivist` `infra.terraform.app.atlas` `infra.terraform.app.build_manager` `infra.terraform.app.build_worker` `infra.terraform.app.other` `infra.terraform.app.sidekiq` `infra.terraform.app.slug_ingress` `infra.terraform.audit.atlas` `infra.terraform.audit.sidekiq`

Intrusion Detection Systems

This group includes tags that start with the level ids. These tags identify data generated by Intrusion Detection Systems (IDS).

Company	Product / service	Valid tags
	Attivo BOTsink	`ids.attivo.botsink`
	Bricata IDS	`ids.bricata.broall` `ids.bricata.brocata` `ids.bricata.broconn` `ids.bricata.burocata` `ids.bricata.suricata`
	Bro IDS (now Zeek Network Security Monitor)	`ids.bro.captureloss` `ids.bro.communication` `ids.bro.conn` `ids.bro.dhcp` `ids.bro.dns` `ids.bro.dpd` `ids.bro.files` `ids.bro.ftp` `ids.bro.http` `ids.bro.knownhosts` `ids.bro.knownservices` `ids.bro.notice` `ids.bro.reporter` `ids.bro.snmp` `ids.bro.software` `ids.bro.ssh` `ids.bro.ssl` `ids.bro.stats` `ids.bro.weird` `ids.bro.x509`
	Darktrace platform	`ids.darktrace.threats`
	ExtraHop solution	`ids.extrahop.audit` `ids.extrahop.detections` `ids.extrahop.cifs` `ids.extrahop.crwd` `ids.extrahop.dhcp` `ids.extrahop.dns` `ids.extrahop.ftp` `ids.extrahop.http` `ids.extrahop.kerberos` `ids.extrahop.ldap` `ids.extrahop.llmnr` `ids.extrahop.mongodb` `ids.extrahop.nfs` `ids.extrahop.ntlm` `ids.extrahop.rdp` `ids.extrahop.rfb` `ids.extrahop.rpc` `ids.extrahop.ssh` `ids.extrahop.ssl` `ids.extrahop.telnet` `ids.extrahop.flow`
	Huawei NIP intrusion detection system (IDS)	`ids.huawei.nip.assoc` `ids.huawei.nip.atk` `ids.huawei.nip.iprpu`
	Juniper SRX Firewall	`ids.juniper.srx`
	Resevoir R-Scope Advanced Threat Detection	`ids.rscope.communication` `ids.rscope.conn` `ids.rscope.dce_rpc` `ids.rscope.dhcp` `ids.rscope.dns` `ids.rscope.dpd` `ids.rscope.files` `ids.rscope.ftp` `ids.rscope.http` `ids.rscope.intel` `ids.rscope.irc` `ids.rscope.kerberos` `ids.rscope.known_hosts` `ids.rscope.known_services` `ids.rscope.modbus` `ids.rscope.mysql` `ids.rscope.notice` `ids.rscope.ntlm` `ids.rscope.pe` `ids.rscope.protocolstats_orig` `ids.rscope.protocolstats_resp` `ids.rscope.radius` `ids.rscope.rdp` `ids.rscope.removed_files` `ids.rscope.reporter` `ids.rscope.rfb` `ids.rscope.rscopestats-byte` `ids.rscope.rscopestats-core` `ids.rscope.rscopestats-misc` `ids.rscope.rscopestats-pckt` `ids.rscope.rscopestats-port` `ids.rscope.rscopestats-sys` `ids.rscope.sip` `ids.rscope.smb_files` `ids.rscope.smb_mapping` `ids.rscope.smtp` `ids.rscope.snmp` `ids.rscope.socks` `ids.rscope.software` `ids.rscope.ssh` `ids.rscope.ssl` `ids.rscope.stats` `ids.rscope.stderr` `ids.rscope.stdout` `ids.rscope.syslog` `ids.rscope.tunnel` `ids.rscope.weird` `ids.rscope.x509`
	Snort Intrusion Detection (Open source)	`ids.snort.unified2`
	Suricata threat detection engine	`ids.suricata.dns` `ids.suricata.events` `ids.suricata.fast` `ids.suricata.files` `ids.suricata.http` `ids.suricata.stdout`

Intrusion Prevention Systems

This group includes tags that start with the level ips. These tags identify data generated by Intrusion Prevention Systems (IPS).

Company	Product / service	Valid tags
	Cisco IOS Intrusion Prevention System (IPS)	`ips.cisco.sdee.alerts` `ips.cisco.sdee.sdee-collector` `ips.cisco.sourcefire.network`
	Corero IPS 5500 EC-Series	`ips.corero.common`
	Corero Top Layer IPS	`ips.toplayer.common`
	Proventia Network IPS	`ips.proventia.siteprotector.leef`
	Trend Micro TippingPoint Intrusion Prevention System	`ips.tippingpoint.sms`

Key Management Systems

This group includes tags that start with the level kms. These tags identify data generated by Key Management Systems (KMS).

Company	Product / service	Valid tags
	Venafi certificate management	`kms.venafi.events`

Email

This group includes tags that start with the level mail. These tags identify data generated by email servers.

Company	Product / service	Valid tags
	Cisco Email Security Appliance	`mail.cisco.esa.stdout`
	Dovecot email server	`mail.dovecot.audit`
	Microsoft Exchange Server	`mail.exchange.messagetracking` `mail.exchange.ncsa` `mail.exchange.w3c`
	FortiMail: Secure Email Gateway	`mail.fortinet.event.admin` `mail.fortinet.event.config` `mail.fortinet.event.ha` `mail.fortinet.event.smtp` `mail.fortinet.event.update` `mail.fortinet.spam` `mail.fortinet.statistics` `mail.fortinet.virus.infected`
	Mimecast Secure Email Gateway Mimecast Targeted Threat Protection	`mail.mimecast.archive` `mail.mimecast.archive.messageview` `mail.mimecast.archive.search` `mail.mimecast.audit.events` `mail.mimecast.siem` `mail.mimecast.siem.delivery` `mail.mimecast.siem.jrnl` `mail.mimecast.siem.process` `mail.mimecast.siem.receipt` `mail.mimecast.ttp` `mail.mimecast.ttp.attachment` `mail.mimecast.ttp.impersonation` `mail.mimecast.ttp.url` `mail.mimecast.message.list` `mail.mimecast.message.summary` `mail.mimecast.threat.feed` `mail.mimecast.account.dashboard`
	Postfix mail server	`mail.postfix.error` `mail.postfix.info`
	Proofpoint Email Protection	`mail.proofpoint.tapsiem_v2` `mail.proofpoint.sendmail` `mail.proofpoint.stdout` `mail.proofpoint.trap` `mail.proofpoint.tapsiem_v2.clicksblocked` `mail.proofpoint.tapsiem_v2.clickspermitted` `mail.proofpoint.tapsiem_v2.messagesblocked` `mail.proofpoint.tapsiem_v2.messagesdelivered`
	Trend Micro InterScan Messaging Security Suite (IMSS)	`mail.smtp.as400alerts` `mail.smtp.dlp` `mail.smtp.general` `mail.smtp.imss-polevt` `mail.smtp.spam-eti` `mail.smtp.spam-spain` `mail.smtp.spam-tis` `mail.smtp.spam-trap`

Mainframes

This group includes tags that start with the level mainframe. These tags identify data generated by mainframe systems.

Company	Product / service	Valid tags
	IBM mainframe	`mainframe.ibm.type80.<subtype>`

Monitoring

This group includes tags that start with the level monitor. These tags identify data generated by monitoring systems.

Company	Product / service	Valid tags
	Nagios Network Monitoring This technology is also supported in CEF via syslog.	`monitor.nagios`
	BMC PATROL performance management	`monitor.patrol`
	MainView Monitoring (now BMC AMI Ops Monitoring)	`monitor.mainview.out`

Message Queueing

This group includes tags that start with the level mq. These tags identify data generated by message queueing systems.

Company	Product / service	Valid tags
	IBM WebSphere MQ (MQSeries) messaging middleware	`mq.mqseries.error` `mq.mqseries.error-fmt`
	RabbitMQ	`mq.rabbitmq.out`

Metrics

This group includes tags that start with the level metrics. These tags identify data generated by metrics monitoring tools.

Company	Product / service	Valid tags
	Prometheus	`metrics.prometheus`

Network Access Control

This group includes tags that start with the level nac. These tags identify data generated by Network Access Control (NAC) solutions.

Company	Product / service	Valid tags
	Aruba ClearPass	`nac.aruba.cppm.endpoint` `nac.aruba.cppm.policy` `nac.aruba.cppm.system` `nac.aruba.cppm.system_stat` `nac.aruba.os.events`
	Forescout CounterACT This technology is also supported in CEF via syslog.	`nac.forescout.counteract.actions` `nac.forescout.counteract.common` `nac.forescout.counteract.log` `nac.forescout.counteract.policy` `nac.forescout.counteract.system`

Network Statistics

This group includes tags that start with the level netstat. These tags identify data generated by network statistics services.

Company	Product / service	Valid tags
	Exinda Network Orchestrator	`netstat.exinda.orchestrator.stdout`
-	NetFlow traffic	`netstat.netflow.lt` `netstat.netflow.v9`
-	Netmetrio	`netstat.netmetrio.tcprtt.bad-ip4` `netstat.netmetrio.tcprtt.ether` `netstat.netmetrio.tcprtt.ip4` `netstat.netmetrio.tcprtt.libpcap` `netstat.netmetrio.tcprtt.pcap` `netstat.netmetrio.tcprtt.tcp` `netstat.netmetrio.tcprtt.tcprtt` `netstat.netmetrio.tcprtt.tcprtt-error` `netstat.netmetrio.tcprtt.tcprtt-info` `netstat.netmetrio.tcprtt.udp`
-		`netstat.pcap.b16` `netstat.pcap.b16simple`
-		`netstat.ping.collector` `netstat.ping.stats`
-	Simple Network Management Protocol (SNMP)	`netstat.snmp.collector` `netstat.snmp.ifaces` `netstat.snmp.ifaces-all` `netstat.snmp.qos-cisco` `netstat.snmp.qos-port-cisco` `netstat.snmp.traps`
	Zscaler	`netstat.zscaler.analyzer`

Network Systems

This group includes tags that start with the level network. These tags identify data generated by network systems.

Company	Product / service	Valid tags
	Cisco networking devices	`network.cisco.router` `network.cisco.switch` `network.cisco.wireless`
	Cisco Meraki networking logs	`network.meraki.events` `network.meraki.flows` `network.meraki.ids-alerts` `network.meraki.urls` `network.meraki.airmarshal_events` `network.meraki.switch` `network.meraki.security-events`
	Citrix	`network.citrix.adc.aaa` `network.citrix.adc.aaatm` `network.citrix.adc.api` `network.citrix.adc.cli` `network.citrix.adc.event` `network.citrix.adc.gui` `network.citrix.adc.snmp` `network.citrix.adc.ssllog` `network.citrix.adc.sslvpn` `network.citrix.adc.tcp` `network.citrix.adc.<any other>`
	Versa	`network.versa.av.events` `network.versa.cgnat.events` `network.versa.idp.events` `network.versa.ngfw.access` `network.versa.ngfw.identification` `network.versa.ngfw.urlfiltering` `network.versa.sdwan.traffic` `network.versa.sdwan.slaviolation` `network.versa.sdwan.b2bslam`
	VMware	`network.vmware.airwatch.events`

Plagiarism Detection Systems

This group includes tags that start with the level pds. These tags identify data generated by plagiarism detection systems.

Company	Product / service	Valid tags
	Viper plagiarism detection	`pds.pviper.stdout`

Proxy

This group includes tags that start with the level proxy. These tags identify data generated by proxy servers.

Company	Product / service	Valid tags
-	Symantec ProxySG (formerly by Blue Coat Systems)	`proxy.bluecoat.proxysg.bcreportermain_v1` `proxy.bluecoat.proxysg.leef` `proxy.bluecoat.proxysg.main`
	Forcepoint proxy access logs	`proxy.forcepoint.access`
-	HAProxy HTTP log format	`proxy.haproxy.http`
-	Cisco Web Security (formerly IronPort) using AsyncOS Access log in Squid format	`proxy.ironport.access.squid`
-	Microsoft Forefront Threat Management Gateway (formerly Microsoft ISA Server)	`proxy.isaserver.access-w3c-ab`
	McAfee Web Gateway	`proxy.mcafee.webgw.access-ab` `proxy.mcafee.webgw.default`
-	Squid caching proxy	`proxy.squid.access-clf.<serverHostname>` `proxy.squid.access-combined.<serverHostname>` `proxy.squid.access-lt.<serverHostname>` `proxy.squid.access-squid.<serverHostname>` `proxy.squid.access-squid-mime.<serverHostname>` `proxy.squid.cache.<serverHostname>`
-	stunnel TLS Proxy	`proxy.stunnel.stdout`
-	Varnish HTTP Cache	`proxy.varnish.access-combined` `proxy.varnish.access-combined-xff`
	VMware	`network.vmware.airwatch.events`
	Zscaler Internet Access (ZIA)	`proxy.zscaler.zia.alert` `proxy.zscaler.zia.dns` `proxy.zscaler.zia.firewall` `proxy.zscaler.zia.saas_collaboration` `proxy.zscaler.zia.saas_crm` `proxy.zscaler.zia.saas_email` `proxy.zscaler.zia.saas_file` `proxy.zscaler.zia.saas_itsm` `proxy.zscaler.zia.saas_repository` `proxy.zscaler.zia.tunnel` `proxy.zscaler.zia.web`
	Zscaler Secure Web Gateway log fields	`proxy.zscaler.access` `proxy.zscaler.nss` `proxy.zscaler.nss_web.cef` `proxy.zscaler.nss_firewall.cef`

Remote Access Servers

This group includes tags that start with the level ras. These tags identify data generated by Remote Access Servers (RAS).

Company	Product / service	Valid tags
	BeyondTrust	`ras.beyondtrust.events`
	SecureLink remote support	`ras.securelink.admin` `ras.securelink.audit`

Remote Browser Isolation

This group includes tags that start with the level rbi. These tags identify data generated by Remote Browser Isolation (RBI) systems.

Company	Product / service	Valid tags
	Menlo Security - Remote Browser Isolation (RBI)	`rbi.menlo.audit` `rbi.menlo.attachment` `rbi.menlo.email` `rbi.menlo.smtp` `rbi.menlo.web`

Router

This group includes tags that start with the level router. These tags identify data generated by router devices.

Company	Product / service	Valid tags
	Huawei Router	`router.huawei`
	Vyatta Open Source Router	`router.vyatta`

Runtime

This group includes tags that start with the level runtime. These tags identify data generated by runtime environments.

Company	Product / service	Valid tags
	Oracle Java Virtual Machine	`runtime.jvm.advancedactivity` `runtime.jvm.advancederror` `runtime.jvm.advancedoutput` `runtime.jvm.advancedtrace` `runtime.jvm.basicactivity` `runtime.jvm.basicerror` `runtime.jvm.basicoutput` `runtime.jvm.basictrace` `runtime.jvm.nativememorysummary`
	Linux Perf performance analyzing tool	`runtime.linuxperf.fct`

Serving GPRS Support Nodes

This group includes tags that start with the level sgsn. These tags identify data generated by Serving GPRS Support Node (SGSN) solutions.

Company	Product / service	Valid tags
	Ericsson SGSN-MME	`sgsn.mme.ericsson`

Secure Internet Gateways

This group includes tags that start with the level sig. These tags identify data generated by Secure Internet Gateways (SIG).

Company	Product / service	Valid tags
	Cisco Secure Internet Gateway	`sig.cisco.umbrella.dns` `sig.cisco.umbrella.firewall` `sig.cisco.umbrella.ip` `sig.cisco.umbrella.proxy`

Service Management Systems

This group includes tags that start with the level sms. These tags identify data generated by Service Management Systems (SMS).

Company	Product / service	Valid tags
	Adaxes service management system	`sms.adaxes.events`

Social Networks

This group includes tags that start with the level social. These tags identify data generated by social networks.

Company	Product / service	Valid tags
	Twitter	`social.twitter.tweets.common` `social.twitter.tweets.complete` `social.twitter.tweets.trace`

System Software Management

This group includes tags that start with the level ssm. These tags identify data generated by System Software Management services.

Company	Product / service	Valid tags
-	APT (Advanced Packaging Tool) library	`ssm.apt.history` `ssm.apt.term`
-	YUM (Yellowdog Updater Modified) library	`ssm.yum.history` `ssm.yum.term`

Switches

This group includes tags that start with the level switch. These tags identify data generated by network switches.

Company	Product / service	Valid tags
	Force10 Switches (later part of Dell Networking)	`switch.force10`
	Huawei Switches	`switch.huawei`
	eLinksys Switches	`switch.linksys`

Threat Intelligence

This group includes tags that start with the level threatintel. These tags identify data generated by threat intelligence tools.

Company	Product / service	Valid tags
	Bandura ThreatBlockr	`threatintel.bandura.threatblockr.dnslog` ^+info `threatintel.bandura.threatblockr.dnsresplog` ^+info `threatintel.bandura.threatblockr.packetlog` ^+info

User Behavior Analytics

This group includes tags that start with the level switch. These tags identify data generated by network switches.

Company	Product / service	Valid tags
	Varonis Systems	`uba.varonis.dataalert` `uba.varonis.alert` `uba.varonis.audit`

Uninterruptible Power Supply

This group includes tags that start with the level ups. These tags identify data generated by Uninterruptible Power Supply (UPS) systems.

Company	Product / service	Valid tags
	SNMP Monitoring for APC Smart-UPS	`ups.apc.snmp`

Unified Threat Management

This group includes tags that start with the level utm. These tags identify data generated by Uninterruptible Power Supply (UTM) systems.

Company	Product / service	Valid tags
	Cisco Web Security	`utm.cisco.wsa.access-std` `utm.cisco.wsa.traffic-std`
	Juniper Networks Advanced Threat Prevention (formerly of Cyphort)	`utm.hawkeye.cyphort`
	Sophos UTM system.log	`utm.sophos.system`

Version Control Systems

This group includes tags that start with the level vcs. These tags identify data generated by version control systems.

Company	Product / service	Valid tags
	GitHub	`vcs.github.repository.collaborators` `vcs.github.repository.commits` `vcs.github.repository.forks` `vcs.github.repository.issue_comments` `vcs.github.repository.pull_request_commits` `vcs.github.repository.pull_request` `vcs.github.repository.releases` `vcs.github.repository.stargazers` `vcs.github.repository.subscribers` `vcs.github.repository.events` `vcs.github.api.organization.audit` `vcs.github.api.organization.sso_authorizations` `vcs.github.api.organization.webhooks`

Virtual Private Cloud

This group includes tags that start with the level vpc. These tags identify data generated by Virtual Private Cloud (VPC) systems.

Company	Product / service	Valid tags
	AWS Virtual Private Cloud	`vpc.aws.flow`

Virtual Private Network

This group includes tags that start with the level vpn. These tags identify data generated by Virtual Private Network (VPN) services.

Company	Product / service	Valid tags
	Cisco AnyConnect	`vpn.cisco.asa.anyconnect`
	Juniper VPN	`vpn.juniper.sa`
	Pulse Secure	`vpn.pulsesecure.sa`
	Zscaler	`vpn.zscaler.access` `vpn.zscaler.activity` `vpn.zscaler.status_user` `vpn.zscaler.status_connector`

Vulnerability detection

This group includes tags that start with the level vuln. These tags identify data generated by vulnerability detection systems

Company	Product / service	Valid tags
	BeyondTrust vulnerability management	`vuln.beyondtrust.appaudit` `vuln.beyondtrust.pbps` `vuln.beyondtrust.retina`
	Qualys	`vuln.qualys.hosts` `vuln.qualys.hostdetections` `vuln.qualys.hostdetections.xml` `vuln.qualys.useractivitylog` `vuln.qualys.vulnerabilities`
	Rapid7 Nexpose	`vuln.rapid7.nexpose.asset` `vuln.rapid7.nexpose.vuln`
	Tenable	`vuln.tenable.io.assets` `vuln.tenable.io.agents` `vuln.tenable.io.audit_log` `vuln.tenable.io.plugins` `vuln.tenable.io.scanners` `vuln.tenable.io.scans`

Web Application Firewalls

This group includes tags that start with the level waf. These tags identify data generated by web application firewalls.

Company	Product / service	Valid tags
	SecureSphere Web Application Firewall (WAF)	`waf.imperva.securesphere`
	Incapsula CDN (now Imperva FlexProtect)	`waf.incapsula.audit` `waf.incapsula.events`

Web

This group includes tags that start with the level web. These tags identify data generated by web application firewalls.

Company	Product / service	Valid tags
	Apache Web Server	`web.apache.access-clf` `web.apache.access-combined` `web.apache.access-lt` `web.apache.access-lt-xff` `web.apache.access-vhc` `web.apache.error` `web.apache.mod-jk` `web.apache.mod-security`
	Arbor Solutions (now part of Netscout)	`web.arbor.access`
	Amazon Web Services	`web.aws.cloudfront.access-w3c` `web.aws.elb.access`
	EdgeCast	`web.edgecast.access-w3c`
	GlassFish Application Server	`web.glassfish.server`
	Oracle iPlanet Web Server	`web.iplanet.access-clf2` `web.iplanet.error`
	IBM InfoSphere Information Server	`web.iis.access-ncsa.<env>.<app>.<clon>` `web.iis.access-w3c.<env>.<app>.<clon>` `web.iis.access-w3c-all.<env>.<app>.<clon>` Check more info about these parsers
	IBM WebSEAL	`web.webseal.access-combined`
	IBM WebSphere Application Server	`web.websphere.error` `web.websphere.gc` `web.websphere.gc-stdout` `web.websphere.gc-summary` `web.websphere.out`
	JBoss web application server (currently known as WildFly)	`web.jboss.access-clf` `web.jboss.access-combined` `web.jboss.access-lt` `web.jboss.boot` `web.jboss.server`
-	Level3 web server	`web.level3.access-w3c`
	NGINX webserver	`web.nginx.access-combined` `web.nginx.access-lt` `web.nginx.access-lt-xff` `web.nginx.access-main` `web.nginx.error`
	Apache Tomcat web application server	`web.tomcat.access-clf` `web.tomcat.access-combined` `web.tomcat.access-lt` `web.tomcat.app` `web.tomcat.app-lt` `web.tomcat.catalina` `web.tomcat.catalina-lt` `web.tomcat.gc` `web.tomcat.out`

Click to see the parsers

directory.msad.health
directory.msad.netlogon
directory.msad.siteinfo
directory.msad.snapshot
directory.msad.update

Click to see the parsers

sms.adaxes.events

Click to see the parsers

cdn.akamai.access
cdn.akamai.audit
cdn.akamai.audit-extended
cdn.akamai.cloudmonitor

Click to see the parsers

ups.apc.snmp

Click to see the parsers

ddos.arbor.peakflow.dos
ddos.arbor.peakflow.sp
ddos.arbor.pravail.aps
web.arbor.access

Click to see the parsers

app.atlassian.confluence.audit
app.atlassian.jira.audit

Click to see the parsers

cloud.aws.cloudtrail.audit
cloud.aws.cloudtrail.events
cloud.aws.cloudwatch.alarm
cloud.aws.cloudwatch.events
cloud.aws.cloudwatch.logs
cloud.aws.cloudwatch.metrics
cloud.aws.sqs.audit
cloud.aws.waf.logs
web.aws.cloudfront.access-w3c
web.aws.elb.access
vpc.aws.flow

Click to see the parsers

firewall.barracuda.audit

Click to see the parsers

vuln.beyondtrust.appaudit
vuln.beyondtrust.pbps
vuln.beyondtrust.retina
ras.beyondtrust.events

Click to see the parsers

dhcp.bluecat.dhcpd
dns.bluecat.named

Click to see the parsers

monitor.patrol

Click to see the parsers

cloud.box.collaborations
cloud.box.events
cloud.box.files
cloud.box.folders
cloud.box.groups
cloud.box.users

Click to see the parsers

ids.bricata.broall
ids.bricata.brocata
ids.bricata.broconn
ids.bricata.burocata
ids.bricata.suricata

Click to see the parsers

edr.carbonblack.alert
edr.carbonblack.binary
edr.carbonblack.feed
edr.carbonblack.ingress
edr.carbonblack.watchlist

Click to see the parsers

firewall.checkpoint.fw
firewall.checkpoint.gaia
firewall.checkpoint.lea
firewall.checkpoint.log_exporter
av.checkpoint.mtp.audit
av.checkpoint.mtp.event

Click to see the parsers

ap.cisco.wlc
auth.cisco.ise
firewall.cisco.asa
firewall.cisco.fmc
firewall.cisco.ftd
firewall.cisco.pix
firewall.cisco.fwsm
ips.cisco.sdee.alerts
ips.cisco.sdee.sdee-collector
ips.cisco.sourcefire.network
mail.cisco.esa.stdout
network.cisco.router
network.cisco.switch
network.cisco.wireless
sig.cisco.umbrella.dns
sig.cisco.umbrella.firewall
sig.cisco.umbrella.ip
sig.cisco.umbrella.proxy
utm.cisco.wsa.access-std
utm.cisco.wsa.traffic-std
vpn.cisco.asa.anyconnect

Click to see the parsers

cloud.cloud_foundry.application

Click to see the parsers

ips.corero.common

Click to see the parsers

ids.darktrace.threats

Click to see the parsers

dlp.digitalguardian.endpointdlp.alerts
dlp.digitalguardian.endpointdlp.audit
dlp.digitalguardian.endpointdlp.classification
dlp.digitalguardian.networkdlp

Click to see the parsers

box.docker.stats

Click to see the parsers

mail.dovecot.audit

Click to see the parsers

web.edgecast.access-w3c

Click to see the parsers

sgsn.mme.ericsson

Click to see the parsers

netstat.exinda.orchestrator.stdout

Click to see the parsers

edr.fireeye.alerts

Click to see the parsers

switch.force10

Click to see the parsers

dlp.forcepoint.events
proxy.forcepoint.access

Click to see the parsers

nac.forescout.counteract.actions
nac.forescout.counteract.common
nac.forescout.counteract.log
nac.forescout.counteract.policy
nac.forescout.counteract.system

Click to see the parsers

av.fsecure.igk.access

Click to see the parsers

vcs.github

Click to see the parsers

web.glassfish.server

Click to see the parsers

api.ibm.connect.audit
api.ibm.connect.event

Click to see the parsers

waf.imperva.securesphere

Click to see the parsers

waf.incapsula.audit
waf.incapsula.events

Click to see the parsers

dhcp.infoblox.stdout
dns.infoblox.response

Click to see the parsers

switch.linksys

Click to see the parsers

runtime.linuxperf.fct

Click to see the parsers

av.mcafee.epo.events
av.mcafee.epo.threat
proxy.mcafee.webgw.access-ab
proxy.mcafee.webgw.default

Click to see the parsers

rbi.menlo.audit
rbi.menlo.attachment
rbi.menlo.email
rbi.menlo.smtp
rbi.menlo.web

Click to see the parsers

dhcp.microsoft.ip4
dhcp.microsoft.ip6

Click to see the parsers

mail.exchange.messagetracking
mail.exchange.ncsa
mail.exchange.w3c

Click to see the parsers

db.mssql.audit
db.mssql.error

Click to see the parsers

mail.mimecast.archive
mail.mimecast.archive.messageview
mail.mimecast.archive.search
mail.mimecast.audit.events
mail.mimecast.siem
mail.mimecast.siem.delivery
mail.mimecast.siem.jrnl
mail.mimecast.siem.process
mail.mimecast.siem.receipt
mail.mimecast.ttp
mail.mimecast.ttp.attachment
mail.mimecast.ttp.impersonation
mail.mimecast.ttp.url
mail.mimecast.message.list
mail.mimecast.message.summary
mail.mimecast.threat.feed
mail.mimecast.account.dashboard

Click to see the parsers

edr.minervalabs.events

Click to see the parsers

db.mongodb.out

Click to see the parsers

monitor.nagios

Click to see the parsers

cloud.netskope.events
casb.netskope.alert
casb.netskope.application
casb.netskope.audit
casb.netskope.client
casb.netskope.infrastructure
casb.netskope.network
casb.netskope.page

Click to see the parsers

edr.observeit.events

Click to see the parsers

auth.okta.events
auth.okta.system
auth.okta.apps
auth.okta.groups
auth.okta.policies
auth.okta.users

Click to see the parsers

db.oracle.alert
db.oracle.error

Click to see the parsers

erp.peoplesoft.info

Click to see the parsers

auth.ping.federate.audit
auth.ping.federate.server

Click to see the parsers

mail.postfix.error
mail.postfix.info

Click to see the parsers

db.postgresql.out

Click to see the parsers

metrics.prometheus

Click to see the parsers

ips.proventia.siteprotector.leef

Click to see the parsers

vpn.pulsesecure.sa

Click to see the parsers

mq.rabbitmq.out

Click to see the parsers

vuln.rapid7.nexpose.asset
vuln.rapid7.nexpose.vuln

Click to see the parsers

ids.rscope.communication
ids.rscope.conn
ids.rscope.dce_rpc
ids.rscope.dhcp
ids.rscope.dns
ids.rscope.dpd
ids.rscope.files
ids.rscope.ftp
ids.rscope.http
ids.rscope.intel
ids.rscope.irc
ids.rscope.kerberos
ids.rscope.known_hosts
ids.rscope.known_services
ids.rscope.modbus
ids.rscope.mysql
ids.rscope.notice
ids.rscope.ntlm
ids.rscope.pe
ids.rscope.protocolstats_orig
ids.rscope.protocolstats_resp
ids.rscope.radius
ids.rscope.rdp
ids.rscope.removed_files
ids.rscope.reporter
ids.rscope.rfb
ids.rscope.rscopestats-byte
ids.rscope.rscopestats-core
ids.rscope.rscopestats-misc
ids.rscope.rscopestats-pckt
ids.rscope.rscopestats-port
ids.rscope.rscopestats-sys
ids.rscope.sip
ids.rscope.smb_files
ids.rscope.smb_mapping
ids.rscope.smtp
ids.rscope.snmp
ids.rscope.socks
ids.rscope.software
ids.rscope.ssh
ids.rscope.ssl
ids.rscope.stats
ids.rscope.stderr
ids.rscope.stdout
ids.rscope.syslog
ids.rscope.tunnel
ids.rscope.weird
ids.rscope.x509

Click to see the parsers

cloud.rubrik.events

Click to see the parsers

crm.salesforce.admin
crm.salesforce.apexcallout
crm.salesforce.apexexecution
crm.salesforce.apexsoap
crm.salesforce.apextrigger
crm.salesforce.apexunexpectedexception
crm.salesforce.api
crm.salesforce.asyncreportrun
crm.salesforce.audit
crm.salesforce.contenttransfer
crm.salesforce.documentattachmentdownloads
crm.salesforce.login
crm.salesforce.logout
crm.salesforce.metadataapioperation
crm.salesforce.queuedexecution
crm.salesforce.report
crm.salesforce.reportexport
crm.salesforce.restapi
crm.salesforce.search
crm.salesforce.searchclick
crm.salesforce.timebasedworkflow
crm.salesforce.uri
crm.salesforce.visualforcerequest

Click to see the parsers

auth.secureauth.events

Click to see the parsers

ras.securelink.admin
ras.securelink.audit

Click to see the parsers

av.sentinelone.events

Click to see the parsers

app.slack.audit

Click to see the parsers

ids.snort.unified2

Click to see the parsers

ids.suricata.dns
ids.suricata.events
ids.suricata.fast
ids.suricata.files
ids.suricata.http
ids.suricata.stdout

Click to see the parsers

db.teradata.out

Click to see the parsers

av.trendmicro.deepsec.agent
av.trendmicro.deepsec.console
av.trendmicro.deepsec.manager
mail.smtp.as400alerts
mail.smtp.dlp
mail.smtp.general
mail.smtp.imss-polevt
mail.smtp.spam-eti
mail.smtp.spam-spain
mail.smtp.spam-tis
mail.smtp.spam-trap

Click to see the parsers

cdn.triton.access

Click to see the parsers

social.twitter.tweets.common
social.twitter.tweets.complete
social.twitter.tweets.trace

Click to see the parsers

auth.unix
box.audit.unix.go-audit
box.unix
dhcp.unix.stdout

Click to see the parsers

kms.venafi.events

Click to see the parsers

pds.pviper.stdout

Click to see the parsers

cloud.vmware_tanzu.opsmanager.audit

Click to see the parsers

router.vyatta

Click to see the parsers

firewall.watchguard.traffic

Click to see the parsers

box.win
box.win_nxlog.application
box.win_nxlog.group_policy
box.win_nxlog.invalid
box.win_nxlog.other
box.win_nxlog.powershell
box.win_nxlog.print
box.win_nxlog.remote_conn
box.win_nxlog.security
box.win_nxlog.smb
box.win_nxlog.sysmon
box.win_nxlog.system
box.win_nxlog.windows_powershell
box.win_snare
dns.windows
firewall.windows.stdout

Click to see the parsers

cms.wordpress.stdout

Click to see the parsers

ids.bro.captureloss
ids.bro.communication
ids.bro.conn
ids.bro.dhcp
ids.bro.dns
ids.bro.dpd
ids.bro.files
ids.bro.ftp
ids.bro.http
ids.bro.knownhosts
ids.bro.knownservices
ids.bro.notice
ids.bro.reporter
ids.bro.snmp
ids.bro.software
ids.bro.ssh
ids.bro.ssl
ids.bro.stats
ids.bro.weird
ids.bro.x509

Click to see the parsers

Download as PDF