Configuring External Systems for Discovery, Monitoring and Log Collection
Ports Used by FortiSIEM for Discovery and Monitoring
These ports are used by FortiSIEM to discover devices, pull metrics and process event logs.
| Ports | Services | Super | Worker | Collector |
| UDP/514 | UDP syslog | x | x | x |
| TCP/1470 | TCP syslog | x | x | x |
| UDP/6514 | UDP syslog over TLS | x | x | x |
| TCP/6514 | TCP syslog over TLS | x | x | x |
| UDP/2055 | netflow | x | x | x |
| TCP/22 | ssh | x | x | x |
| TCP/5480 | HTTP Registration | x | ||
| ICMP | x | x | x | |
| TCP/21 | FTP (Receiving Bluecoat logs via ftp) | x | x | x |
| TCP/5432 | postgresql | x | ||
| UDP/111, TCP/111 | NFS portmapper | x | x | |
| TCP/7900 | phMonitor | x | x | |
| TCP/7914 | phParser | x | x | |
| TCP/7916 | phQueryWorker | x | x | |
| TCP/7918 | phQueryMaster | x | x | |
| TCP/7920 | phDataManager | x | x | |
| TCP/7922 | phRuleMaster | x | x | |
| TCP/7924 | phRuleWorker | x | x | |
| TCP/7926 | phAgentManager | x | x | |
| TCP/7928 | phDiscover | x | x | |
| TCP/7930 | phCheckpoint | x | x | |
| TCP/7932 | phReportWorker | x | x | |
| TCP/7934 | phReportMaster | x | x | |
| TCP/7936 | phEventPackager | x | x | |
| TCP/7938 | phIpIdentityMaster | x | x | |
| TCP/7940 | phIpIdentityWorker | x | x | |
| TCP/110 | POP3 | x | ||
| TCP/135 | WMI | x | x | x |
| TCP/143 | IMAP | x | ||
| UDP/161 | SNMP | x | x | x |
| UDP/162 | SNMP TRAP | x | x | x |
| TCP/389 | LDAP | x | x | x |
| TCP/443 | HTTPS | x | x | x |
| TCP/993 | IMAP/SSL | x | ||
| TCP/995 | POP/SSL | x | ||
| TCP/1433 | JDBC | x | x | x |
| UDP/8686 | JMX | x | x | x |
| TCP/18184 | Checkpoint LEA | x | x | x |
| TCP/18190 | Checkpoint CPMI Port | x | x | x |
Supported Devices and Applications by Vendor
| Vendor | Model | Discovery
Overview |
Performance Monitoring Overview | Log Analysis Overview | Configuration Change monitoring | Details |
| AirTight
Networks |
SpectraGuard | Discovered via
LOG only |
Not natively supported – Custom monitoring needed | CEF format: Over 125 event types parsed covering various Wireless suspicious activities | Currently not natively supported | AirTight
Networks SpectraGuard |
| Alcatel | TiMOS Routers and Switches | SNMP: OS,
Hardware |
SNMP: CPU, memory, interface utilization, hardware status | Not natively supported – Custom parsing needed | Currently not natively supported | Alcatel TiMOS and AOS
Switch Configuration |
| Alcatel | AOS Routers and
Switches |
SNMP: OS,
Hardware |
SNMP: CPU, memory, interface utilization, hardware status | Not natively supported – Custom parsing needed | Currently not natively supported | Alcatel TiMOS and AOS
Switch Configuration |
| Alertlogic | IPS | Discovered via
LOG only |
Currently not natively supported | AlertLogic API – Snort event types | Currently not natively supported | |
| Amazon | AWS Servers | AWS API: Server
Name, Access IP, Instance ID, Image Type, Availability Zone |
CloudWatch API: System Metrics:
CPU, Disk I/O, Network |
CloudTrail API: Over 325 event types parsed covering various AWS activities | CloudTrail API: various administrative changes on AWS systems and users | AWS
CloudWatch AWS CloudTrail |
| Amazon | AWS Elastic Block
Storage (EBS) |
CloudWatch API:
Volume ID, Status, Attach Time |
CloudWatch API: Read/Write Bytes,
Ops, Disk Queue |
Covered via CloudTrail API | Covered via
CloudTrail API |
AWS EBS and
RDS |
| Amazon | AWS Relational
Database Storage (RDS) |
CloudWatch API: CPU, Connections, Memory, Swap, Read/Write Latency and Ops | Currently not natively supported | Covered via
CloudTrail API |
AWS EBS and
RDS |
|
| Amazon | Elastic Load
Balancer (ELB) |
Currently not natively supported | HTTP(S) Access logs –
Management logs – Covered via CloudTrail API |
Covered via
CloudTrail API |
||
| Apache | Tomcat Application
Server |
JMX: Version | JMX: CPU, memory, servlet, session, database, threadpool, request processor metrics | Currently not natively supported – Custom parsing needed | Currently not natively supported | Apache
Tomcat |
| Apache | Apache Web server | SNMP: Process name | SNMP: process level cpu, memory
HTTPS via the mod-status module: Apache level metrics |
Syslog: W3C formatted access logs – per
HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration |
Currently not natively supported | Apache Web
Server |
| APC | NetBotz
Environmental Monitor |
SNMP: Host name, Hardware model, Network interfaces | SNMP: Temperature, Relative
Humidity, Airflow, Dew point, Current, Door switch sensor etc. |
SNMP Trap: Over 125 SNMP Trap event types parsed covering various environmental exception conditions | Currently not natively supported | APC Netbotz |
| APC | UPS | SNMP: Host name, Hardware model, Network interfaces | SNMP: UPS metrics | SNMP Trap: Over 49 SNMP Trap event types parsed covering various environmental exception conditions | Currently not natively supported | APC UPS |
| Arista
Networks |
Routers and
Switches |
SNMP: OS, Hardware
SSH: configuration, running processes |
SNMP: CPU, Memory, Interface utilization, Hardware Status | Syslog and NetFlow | SSH: Running config, Startup config | Arista Router and Switch |
| Aruba
Networks |
Aruba Wireless
LAN |
SNMP: Controller
OS, hardware, Access Points |
SNMP: Controller CPU, Memory,
Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count |
SNMP Trap: Over 165 event types covering
Authentication, Association, Rogue detection, Wireless IPS events |
Currently not natively supported | Aruba WLAN |
| Aruba
Networks |
ClearPass Policy
Manager |
Discovery via
LOG |
Currently not natively supported | Syslog: Successful and failed AAA authentication, warnings and errors | Currently not natively supported | |
| Aruba
Networks |
Switches | SNMP: OS,
Hardware |
SNMP: Uptime, Interface utilization | Currently not natively supported – Custom parsing needed | Currently not natively supported | |
| Avaya | Call Manager | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status | CDR: Call Records | Currently not natively supported | Avaya Call
Manager |
| Avaya | Session Manager | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status | Currently not natively supported – Custom parsing needed | Currently not natively supported | |
| Barracuda
Networks |
Spam Firewall | Discovery via
LOG |
Currently not natively supported | Syslog: Over 20 event types covering mail scanning and filtering activity | Currently not natively supported | Barracuda
Spam |
| Bit9 | Security platform | Discovery via
LOG |
Currently not natively supported | Syslog: Over 259 event types covering various file monitoring activities | Currently not natively supported | Bit9 Security
Platform |
| Bit9 | Carbon Black | Currently not natively supported | Currently not natively supported | Syslog: File monitoring watch list hit | Currently not natively supported | |
| Blue Coat | Security Gateway Versions v4.x and
later |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Proxy performance metrics | Syslog: Admin access to Security Gateway
SFTP: Proxy traffic analysis |
Currently not natively supported | Blue Coat
Web Proxy |
| Box.com | Cloud Storage | Currently not natively supported | Currently not natively supported | Box.com API: File creation, deletion, modify, file sharing | Currently not natively supported | Box.com |
| Brocade | SAN Switch | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization | Currently not natively supported | Currently not natively supported | Brocade SAN
Switch |
| Brocade | ServerIron ADX switch | SNMP: Host name, serial number, hardware | SNMP: Uptime, CPU, Memory,
Interface Utilization, Hardware status, Real Server Statistics |
Currently not natively supported | Currently not natively supported | Brocade ADX |
| Brocade | NetIron CER
Switches |
SNMP: Host name, serial number, hardware | SNMP: Uptime, CPU, Memory,
Interface Utilization, Hardware status, Real Server Statistics |
Currently not natively supported | Currently not natively supported | Brocade
NetIron CER Routers |
| CentOS /
Other Linux distributions |
Linux | SNMP: OS,
Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging | Syslog: Situations covering Authentication
Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring AccelOps LinuxFileMon Agent: File integrity monitoring |
SSH: File integrity monitoring, Target file monitoring
Agent: File integrity monitoring |
Linux Server |
| CentOS /
Other Linux distributions |
DHCP Server | Currently not natively supported | Currently not natively supported | Syslog: DHCP activity (Discover, Offer,
Request, Release etc) – Used in Identity and Location |
Not Applicable | Linux DHCP |
| Checkpoint | FireWall-1 versions
NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization | LEA from SmartCenter or Log Server:
Firewall Log, Audit trail, over 940 IPS Signatures |
LEA: Firewall
Audit trail |
Check Point
Provider-1 Firewall |
| Checkpoint | Provider-1 versions
NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 |
Currently not natively supported | Currently not natively supported | LEA: Firewall Log, Audit trail | LEA: Firewall
Audit trail |
Check Point |
| Checkpoint | VSX | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization | LEA from SmartCenter or Log Server:
Firewall Log, Audit trail |
LEA: Firewall
Audit trail |
Check Point
Provider-1 |
| Citrix | NetScaler
Application Delivery Controller |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status, Application Firewall metrics | Syslog: Over 465 event types covering admin activity, application firewall events, health events | Currently not natively supported | Citrix
Netscaler |
| Citrix | ICA | SNMP: Process
Utilization |
SNMP: Process Utilization
WMI: ICA Session metrics |
Currently not natively supported | Currently not natively supported | Citrix ICA |
| Cisco | ASA Firewall (single and multi-context) version 7.x and later | SNMP: OS, Hardware
SSH: interface security level needed for parsing traffic logs, Configuration |
SNMP: CPU, Memory, Interface
utilization, Firewall Connections, Hardware Status |
Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity
NetFlow V9: Traffic log |
SSH: Running config, Startup config | Cisco ASA |
| Cisco | PIX Firewall | SNMP: OS, Hardware
SSH: interface security level needed for parsing traffic logs, Configuration |
SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status | Syslog: Over 1600 event types parsed for situations covering admin access,
configuration change, traffic log, IPS activity |
SSH: Running config, Startup config | Cisco ASA |
| Cisco | FWSM | SNMP: OS, Hardware
SSH: interface security level needed for parsing traffic logs, Configuration |
SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status | Syslog: Over 1600 event types parsed for situations covering admin access,
configuration change, traffic log, IPS activity |
SSH: Running config, Startup config | Cisco ASA |
| Cisco | IOS based Routers and Switches | SNMP: OS, Hardware
SSH: configuration, running process, Layer 2 connectivity |
SNMP: CPU, Memory, Interface utilization, Hardware Status
SNMP: IP SLA metrics SNMP: BGP metrics, OSPF metrics SNMP: Class based QoS metrics SNMP: NBAR metrics |
Syslog: Over 200 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity
NetFlow V5, V9: Traffic logs |
SSH: Running config, Startup config | Cisco IOS |
| Cisco | CatOS based
Switches |
SNMP: OS,
Hardware (Serial Number, Image file, Interfaces, Components) SSH: configuration running process |
SNMP: CPU, Memory, Interface utilization, Hardware Status | Syslog: Over 700 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity
NetFlow V5, V9: Traffic logs |
SSH: Running config, Startup config | Cisco IOS |
| Cisco | Nexus OS based
Routers and Switches |
SNMP: OS, Hardware
SSH: configuration running process, Layer 2 connectivity |
SNMP: CPU, Memory, Interface utilization, Hardware Status
SNMP: IP SLA metrics, BGP metrics, OSPF metrics, NBAR metrics SNMP: Class based QoS metrics |
Syslog: Over 3500 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, hardware status, software and hardware errors
NetFlow V5, V9: Traffic logs |
SSH: Running config, Startup config | Cisco NX-OS |
| Cisco | 300 Series
Switches (SF 300, SG300/350 etc) |
SNMP: OS,
Hardware |
SNMP: Interface utilization, | Currently not natively supported | Currently not natively supported | Cisco 300
Series Routers |
| Cisco | ONS | SNMP: OS,
Hardware |
SNMP Trap: Availability and Performance
Alerts |
Cisco NX-OS | ||
| Cisco | ACE Application
Firewall |
SNMP: OS,
Hardware |
||||
| Cisco | UCS Server | UCS API: Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit | UCS API: Chassis Status, Memory
Status, Processor Status, Power Supply status, Fan status |
Syslog: Over 500 event types parsed for situations covering hardware errors, internal software errors etc | Currently not natively supported | Cisco UCS |
| Cisco | WLAN Controller and Access Points | SNMP: OS,
Hardware, Access Points |
SNMP: Controller CPU, Memory,
Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count |
SNMP Trap: Over 88 event types parsed for
situations covering Authentication, Association, Rogue detection, Wireless IPS events |
Currently not natively supported | Cisco
Wireless LAN |
| Cisco | Call Manager | SNMP: OS,
Hardware, VoIP Phones |
SNMP: Call manager CPU, Memory,
Disk Interface utilization, Hardware Status, Process level resource usage SNMP: VoIP phone count, Gateway count, Media Device count, Voice mail server count and SIP Trunks count SNMP: SIP Trunk Info, Gateway Status Info, H323 Device Info, Voice Mail Device Info, Media Device Info, Computer Telephony Integration (CTI) Device Info |
Syslog: Over 950 messages from Cisco Call
Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT) CDR Records, CMR Records: Call Source and Destination, Time, Call Quality metrics (MOS Score, Jitter, latency) |
Currently not natively supported | Cisco Call
Manager |
| Cisco | Contact Center | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco Contact
Center |
| Cisco | Presence Server | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco
Presence Server |
| Cisco | Tandeberg
Tele-presence Video Communication Server (VCS) |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco
Tandeberg Telepresence VCS |
| Cisco | Tandeberg
Tele-presence Multiple Control Unit (MCU) |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco
Telepresence MCU |
| Cisco | Unity Connection | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco Unity |
| Cisco | IronPort Mail
Gateway |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
Syslog: Over 45 event types covering mail scanning and forwarding status | Currently not natively supported | Cisco IronPort
|
| Cisco | IronPort Web
Gateway |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process
level resource usage, Install software change |
W3C Access log (Syslog): Over 9 event types covering web request handling status | Currently not natively supported | Cisco IronPort
Web |
| Cisco | Cisco Network IPS
Appliances |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status | SDEE: Over 8000 IPS signatures | Currently not natively supported | Cisco NIPS |
| Cisco | Sourcefire 3D and
Defense Center |
SNMP: OS,
Hardware |
Sourcefire 3D and Defense Center | |||
| Cisco | FireSIGHT
Console |
eStreamer SDK: Intrusion events, Malware events, File events, Discovery events, User activity events, Impact flag events | Cisco
FireSIGHT |
|||
| Cisco | Cisco Security
Agent |
SNMP or WMI:
OS, Hardware |
SNMP or WMI: Process CPU and memory utilization | SNMP Trap: Over 25 event types covering Host IPS behavioral signatures. | Currently not natively supported | Cisco CSA |
| Cisco | Cisco Access
Control Server (ACS) |
SNMP or WMI:
OS, Hardware |
SNMP or WMI: Process CPU and memory utilization | Syslog: Passed and Failed authentications,
Admin accesses |
Currently not natively supported | Cisco ACS |
| Cisco | VPN 3000 | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization | Syslog: Successful and Failed Admin
Authentication, VPN Authentication, IPSec Phase 1 and Phase 2 association, VPN statistics |
Currently not natively supported | Cisco VPN
3000 |
| Cisco | Meraki Cloud
Controllers |
SNMP: OS,
Hardware, Meraki devices reporting to the Cloud Controller |
SNMP: Uptime, Network Interface
Utilization SNMP Trap: Various availability scenarios |
Currently not natively supported – Custom parsing needed | Currently not natively supported | Cisco Meraki
Cloud Controller and Network Devices |
| Cisco | Meraki Firewalls | SNMP: OS,
Hardware |
SNMP: Uptime, Network Interface
Utilization |
Syslog: Firewall log analysis | Currently not natively supported | Cisco Meraki
Cloud Controller and Network Devices |
| Cisco | Meraki
Routers/Switches |
SNMP: OS,
Hardware |
SNMP: Uptime, Network Interface
Utilization |
Currently not natively supported | Cisco Meraki
Cloud Controller and Network Devices |
|
| Cisco | Meraki WLAN
Access Points |
SNMP: OS,
Hardware |
SNMP: Uptime, Network Interface
Utilization |
Currently not natively supported | Cisco Meraki
Cloud Controller and Network Devices |
|
| Cisco | MDS Storage
Switch |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status | Currently not natively supported – Custom parsing needed | Currently not natively supported | |
| Cisco | Network Control Manager (NCM) | Syslog: Network device software update, configuration analysis for compliance, admin login | Cisco Network
Compliance Manager |
| Cisco | Wide Area
Application Services (WAAS) |
SNMP: Host name, Version,
Hardware model, Network interfaces |
SNMP: CPU, Memory, Interface
utilization, Disk utilization, Process cpu/memory utilization |
Cisco WAAS | ||
| Cisco | Application Centric
Infrastructure (ACI) |
Not Applicable | Not Applicable | Cisco APIC API: Faults, Events,
Configuration Changes, Node/Tenant/Cluster/Application/EPG/Overall health |
Cisco
Application Centric Infrastructure (ACI) Configuration |
|
| Clavister | Clavister IP | |||||
| Cylance | Cylance Protect
Endpoint Protection |
Syslog: Endpoint protection alerts | Cylance
Protect |
|||
| Cyphort | Cyphort Cortex
Endpoint Protection |
Syslog: Endpoint protection alerts | Cyphort
Cortex |
|||
| Dell | SonicWall Firewall | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface
utilization, Firewall session count |
Syslog: Firewall log analysis (over 1000 event types) | Currently not natively supported | Dell
SonicWALL |
| Dell | Force10 Router and Switch | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Interface Status, Hardware Status | SSH: Running config, Startup config | Dell Force10 | |
| Dell | NSeries Router and Switch | SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status | SSH: Startup config | Dell NSeries | |
| Dell | PowerConnect
Router and Switch |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Interface utilization, Hardware Status | SSH: Startup config | Dell
PowerConnect |
|
| Dell | Dell Hardware on
Intel-based Servers |
SNMP: Hardware | SNMP: Hardware Status: Battery, Disk,
Memory, Power supply, Temperature, Fan, Amperage, Voltage |
Currently not natively supported. | ||
| Dell | Compellent
Storage |
SNMP: OS,
Hardware |
SNMP: Network Interface utilization,
Volume utilization, Hardware Status (Power, Temperature, Fan) |
Currently not natively supported. | Dell
Compellant |
|
| Dell | EqualLogic
Storage |
SNMP: OS,
Hardware (Network interfaces, Physical Disks, Components) |
SNMP: Uptime, Network Interface
utilization SNMP: Hardware status: Disk, Power supply, Temperature, Fan, RAID health SNMP: Overall Disk health metrics: Tot al disk count, Active disk count, Failed disk count, Spare disk count SNMP: Connection metrics: IOPS, Throughput SNMP: Disk performance metrics: IOPS, Throughput SNMP: Group level performance metrics: Storage, Snapshot |
Currently not natively supported. | Dell
EqualLogic |
|
| EMC | Clariion Storage | Naviseccli: Host name, Operating system version, Hardware model,
Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships |
Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA
Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization |
Currently not natively supported. | EMC Clarion |
| EMC | VNX Storage | Naviseccli: Host name, Operating system version, Hardware model,
Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships |
Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA
Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization |
EMC VNX | ||
| EMC | Isilon Storage | SNMP: Host name, Operating system,
Hardware (Model, Serial number, Network interfaces, Physical Disks, Components |
SNMP: Uptime, Network Interface metrics
SNMP: Hardware component health: Disk, Power supply, Temperature, Fan, Voltage SNMP: Cluster membership change, Node health and performance (CPU, I/O), Cluster health and performance, Cluster Snapshot, Storage Quota metrics, Disk performance, Protocol performance |
EMC Isilon | ||
| EMC | Data Domain | SNMP: Host name, Operating system,
Hardware (Model, Serial number, Network interfaces, Physical Disks |
SNMP: Interface utilization, Hardware
Status SNMP: Overall Storage metrics: replication metrics, disk I/O, NFS metrics, CIFS metrics SNMP: Individual disk metrics: disk I/O, disk utilization, disk status |
Currently not natively supported – Custom parsing needed | Currently not natively supported | |
| ESET | Nod32 Anti-virus | Application type
discovery via LOG |
Syslog (CEF format): Virus found/cleaned type of events | ESET NOD32 | ||
| FireEye | Malware Protection
System (MPS) |
Application type
discovery via LOG |
Syslog (CEF format): Malware found/cleaned type of events | FireEye MPS | ||
| FireEye | HX Appliances for
Endpoint protection |
Application type
discovery via LOG |
Syslog (CEF format): Malware Acquisition,
Containment type of events |
|||
| F5 Networks | Application
Security Manager |
Discovery via
LOG |
Syslog (CEF Format); Various application level attack scenarios – invalid directory access, SQL injections, cross site exploits | F5 Application
Security Manager |
||
| F5 Networks | Local Traffic
Manager |
SNMP: Host name, Operating system,
Hardware (Model, Serial number, Network interfaces, Physical Disks), Installed Software, Running Software |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start | SNMP Trap: Exception situations including hardware failures, certain security attacks, Policy violations etc
Syslog: Permitted and Denied Traffic |
F5 Networks
Local Traffic Manager |
|
| F5 Networks | Web Accelerator | Discovery via
LOG |
Syslog: Permitted Traffic | F5 Networks
Web Accelerator |
||
| Fortinet | FortiGate firewalls | SNMP: OS, Host name, Hardware
(Serial Number, Interfaces, Components) |
SNMP: Uptime, CPU and Memory
utilization, Network Interface metrics |
Syslog: Over 3700 Traffic and system logs | SSH: Running config, Startup config | Fortinet
FortiGate |
| Fortinet | FortiManager | SNMP: Host name, Hardware
model, Network interfaces, Operating system version |
SNMP: Uptime, CPU and Memory
utilization, Network Interface metrics |
FortiManager |
| Fortinet | FortiMail Mail
Gateway |
Discovery via
LOG |
Currently not supported | Syslog: Over 120 event types covering admin logons, configuration changes, restarts, operational errors, malware and virus, spam | Currently not natively supported | Fortinet
FortiWeb |
| Fortinet | FortiWeb Web
Gateway |
SNMP: OS, Host name, Hardware
(Serial Number, Interfaces) |
SNMP: Uptime, CPU and Memory
utilization, Network Interface metrics |
Syslog: Over 450 event types covering admin logons, configuration changes, restarts, operational errors, Web attacks, HTTP
Protocol anomaly |
Currently not natively supported | Fortinet
FortiWeb |
| Fortinet | FortiSandbox | SNMP: OS, Host name, Hardware
(Serial Number, Interfaces) |
SNMP: Uptime, CPU and Memory
utilization, Network Interface metrics, Disk |
Syslog: Event types covering malware, network attacks and system events | Currently not natively supported | Fortinet
FortiSandbox Configuration |
| Fortinet | FortiDDoS | Discovery via
LOG |
Currently not supported | Syslog: Over 160 event types covering admin logons, configuration changes, restarts, operational errors, traffic anomaly, DDoS attacks | Currently not natively supported | FortiDDoS |
| Foundry
Networks |
IronWare Router and Switch | SNMP: OS, Hardware SSH:
configuration, running process |
SNMP: Uptime, CPU, Memory,
Interface utilization, Hardware Status |
Syslog: Over 6000 event types parsed for situations covering admin access, configuration change, interface up/down | SSH: Running config, Startup config | Foundry
Networks IronWare |
| Google Apps | Not Applicable | Not Applicable | Google Apps Admin SDK: Over 200 event
types parsed for situations covering login, file access, user/group creation/modification, file creation/modifications |
Not Applicable | Google Apps
Audit Configuration |
|
| Huawei | VRP Router and
Switch |
SNMP: OS, Hardware
SSH: configuration, running process, Layer 2 connectivity |
SNMP: Uptime, CPU, Memory,
Interface utilization, Hardware Status |
Syslog: Over 30 event types parsed for situations covering admin access, configuration change, interface up/down | SSH: Running config, Startup config | |
| HP | BladeSystem | SNMP: Host name, Access IP, Hardware components | SNMP: hardware status | HP
BladeSystem |
||
| HP | HP-UX servers | SNMP: OS,
Hardware |
SNMP: Uptime, CPU, Memory, Network Interface, Disk space utilization, Network Interface Errors, Running Process Count, Running process CPU/memory utilization, Running process start/stop
SNMP: Installed Software change SSH : Memory paging rate, Disk I/O utilization |
HP UX Server | ||
| HP | HP Hardware on
Intel-based Servers |
SNMP: hardware model, hardware serial, hardware components (fan, power supply,
battery, raid, disk, memory) |
SNMP: hardware status | SNMP Trap: Over 100 traps covering hardware issues | ||
| HP | TippingPoint
UnityOne IPS |
SNMP: OS,
Hardware |
SNMP: Uptime, CPU, Memory,
Network Interface, Network Interface Errors |
Syslog: Over 4900 IPS alerts directly or via
NMS |
TippingPoint
IPS |
|
| HP | ProCurve Switches and Routers | SNMP: OS, hardware model,
hardware serial, hardware components SSH: configuration |
SNMP: Uptime, CPU, Memory,
Network Interface, Network Interface Errors SNMP: hardware status |
SSH: Running config, Startup config | HP ProCurve | |
| HP | Value Series (19xx) Switches and Routers | SNMP: OS, hardware model,
hardware serial, hardware components SSH: configuration |
SNMP: Uptime, CPU, Memory,
Network Interface, Network Interface Errors |
SSH: Startup config | HP Value
Series (19xx) and HP 3Com (29xx) Switch |
| HP | 3Com (29xx)
Switches and Routers |
SNMP: OS, hardware model,
hardware serial, hardware components SSH: configuration |
SNMP: Uptime, CPU, Memory,
Network Interface, Network Interface Errors |
SSH: Startup config | HP Value
Series (19xx) and HP 3Com (29xx) Switch |
|
| HP | HP/3Com
Comware Switches and Routers |
SNMP: OS, hardware model,
hardware serial, hardware components SSH: configuration |
SNMP: Uptime, CPU, Memory,
Network Interface, Network Interface Errors SNMP: hardware status |
Syslog: Over 6000 vent types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors | SSH: Startup config | HP/3Com
ComWare |
| IBM | Websphere
Application Server |
SNMP or WMI: Running processes | HTTP(S): Generic Information, Availability metrics, CPU / Memory metrics, Servlet metrics, Database pool metrics, Thread pool metrics,
Application level metrics, EJB metrics |
IBM
WebSphere |
||
| IBM | DB2 Database
Server |
SNMP or WMI: Running processes | JDBC: Database Audit trail: Log on,
Database level and Table level CREATE/DELETE/MODIFY operations |
IBM DB2 | ||
| IBM | ISS Proventia IPS
Appliances |
SNMP Trap: IPS Alerts: Over 3500 event types | IBM ISS
Proventia |
|||
| IBM | AIX Servers | SNMP: OS,
Hardware, Installed Software, Running Processes, Open Ports SSH: Hardware details |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging | Syslog: General logs including Authentication
Success/Failure, Privileged logons, User/Group Modification |
IBM AIX | |
| IBM | OS 400 (including iSeries) | Syslog via PowerTech Agent: Over 560 event types
Syslog via Townsend Agent |
IBM OS400 | |||
| IBM | Guardium
Database Firewall |
|||||
| Intel/McAfee | McAfee Sidewinder
Firewall |
SNMP: OS,
Hardware, Installed Software, Running Processes |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start | Syslog: Firewall logs | McAfee Firewall
Enterprise (Sidewinder) |
|
| Intel/McAfee | McAfee ePO | SNMP: Related process name and parameters | SNMP: Process resource utilization | SNMP Trap: Over 170 event types | McAfee ePolicy
Orchestrator (ePO) |
|
| Intel/McAfee | Intrushield IPS | SNMP: OS,
Hardware |
SNMP: Hardware status | Syslog: IPS Alerts | McAfee
IntruShield |
|
| Intel/McAfee | Stonesoft IPS (now called Forcepoint) | Syslog: IPS Alerts | McAfee
Stonesoft |
|||
| Intel/McAfee | Web Gateway | Syslog: Web server log | McAfee Web
Gateway |
|||
| Intel/McAfee | Foundstone Vulnerability
Scanner |
JDBC: Vulnerability data | McAfee
Foundstone Vulnerability Scanner |
|||
| Infoblox | DNS/DHCP
Appliance |
SNMP: OS,
Hardware, Installed Software, Running Processes |
SNMP: Zone transfer metrics, DNS
Cluster Replication metrics, DNS Performance metrics, DHCP Performance metrics, DDNS Update metrics, DHCP subnet usage metrics SNMP: Hardware Status SNMP Trap: Hardware/Software Errors |
Syslog: DNS logs – name resolution activity success and failures | Infoblox
DNS/DHCP |
|
| ISC | Bind DNS | Syslog: DNS logs – name resolution activity success and failures | ISC BIND
DNS |
| Juniper | JunOS
Router/Switch |
SNMP: OS, Hardware
SSH: Configuration |
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status | Syslog: Over 1420 event types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors | SSH: Startup configuration | Juniper
Networks JunOS |
| Juniper | SRX Firewalls | SNMP: OS, Hardware SSH:
Configuration |
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status | Syslog: Over 700 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors | SSH: Startup configuration | Juniper
Networks JunOS |
| Juniper | SSG Firewall | SNMP: OS, Hardware
SSH: Configuration |
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status | Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors | SSH: Startup configuration | Juniper
Networks SSG Firewall |
| Juniper | ISG Firewall | SNMP: OS, Hardware
SSH: Configuration |
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status | Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors | SSH: Startup configuration | Juniper
Networks SSG Firewall |
| Juniper | Steelbelted
RADIUS |
Discovered via
LOG |
Syslog – 4 event types covering admin access and AAA authentication | Juniper
Networks Steel-Belted RADIUS |
||
| Juniper | Secure Access
Gateway |
SNMP: OS,
Hardware |
SNMP: CPU, Memory, Disk, Interface utilization | Syslog – Over 30 event types parsed for situations covering VPN login, Admin access, Configuration Change | Juniper
Networks SSL VPN Gateway |
|
| Juniper | Netscreen IDP | Syslog – directly from Firewall or via NSM –
Over 5500 IPS Alert types parsed |
Juniper
Networks IDP Series |
|||
| Juniper | DDoS Secure | Syslog – DDoS Alerts | Juniper DDoS | |||
| Lantronix | SLC Console
Manager |
Syslog – Admin access, Updates, Commands run | Lantronix SLC
Console Manager |
|||
| Liebert | HVAC | SNMP: Host Name, Hardware model | SNMP: HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state etc | Liebert HVAC | ||
| Liebert | FPC | SNMP: Host Name, Hardware model | SNMP: Output voltage (X-N, Y-N, Z-N),
Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor etc |
Liebert FPC | ||
| Liebert | UPS | SNMP: Host Name, Hardware model | SNMP: UPS metrics: Remaining battery charge, Battery status, Time on
battery, Estimated Seconds Remaining, Output voltage etc |
Liebert UPS | ||
| Malwarebytes | Endpoint
Protection |
Syslog (CEF format): Malware detected, quarantine success and failures | ||||
| Microsoft | Windows 2000,
Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows 2014, Windows 2016 |
SNMP: OS,
Hardware (for Dell and HP), Installed Software, Running Processes WMI: OS, Hardware (for Dell and HP), BIOS, Installed Software, Running Processes, Services, Installed Patches |
SNMP: CPU, Memory, Disk, Interface utilization, Process utilization
WMI: SNMP: CPU, Memory, Disk, Interface utilization, Detailed CPU/Memory usage, Detailed Process utilization |
WMI pulling: Security, System and Application logs
AccelOps Windows Agent (HTTPS): Security, System and Application logs, File Content change Snare Agent (syslog): Security, System and Application logs Correlog Agent (syslog): Security, System and Application logs |
SNMP: Installed
Software Change AccelOps Windows Agent: Installed Software Change, Registry Change AccelOps Windows Agent: File Integrity Monitoring |
Microsoft
Windows Servers |
| Microsoft | DHCP Server –
2003, 2008 |
SNMP: Running
Processes |
WMI: DHCP metrics: request rate, release rate, decline rate, Duplicate
Drop rate etc |
AccelOps Windows Agent (HTTPS): DHCP logs – release, renew etc
Snare Agent (syslog): DHCP logs – release, renew etc Correlog Agent (syslog): DHCP logs release, renew etc |
Microsoft
DHCP (2003, 2008) |
| Microsoft | DNS Server –
2003, 2008 |
SNMP: Running
Processes |
WMI: DNS metrics: Requests received, Responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received etc | AccelOps Windows Agent (HTTPS): DNS logs – name resolution activity
Snare Agent (syslog): DNS logs – name resolution activity Correlog Agent (syslog): DNS logs – name resolution activity |
Microsoft DNS
(2003, 2008) |
|
| Microsoft | Domain Controller /
Active Directory 2003, 2008, 2012, 2014, 2016 |
SNMP: Running Processes
LDAP: Users |
WMI: Active Directory metrics:
Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate etc WMI: “dcdiag -e” command output detect successful and failed domain controller diagnostic tests WMI: “repadmin /replsummary” command output – Replication statistics LDAP: Users with stale passwords, insecure password settings |
Microsoft
Active Directory |
||
| Microsoft | SQL Server – 2005,
2008, 2008R2, 2012, 2014 |
SNMP: Running
Processes |
SNMP or WMI: Process resource usage
JDBC: General database info, Configuration Info, Backup Info, JDBC: Per-instance like Buffer cache hit ratio, Log cache hit ratio etc JDBC: per-instance, per-database Performance metrics Data file size, Log file used, Log growths etc JDBC: Locking info, Blocking info |
JDBC: database error log
JDBC: Database audit trail |
Microsoft SQL
Server |
|
| Microsoft | IIS versions | SNMP: Running
Processes |
SNMP or WMI: Process level resource usage
WMI: IIS metrics: Current Connections, Max Connections, Sent Files, Received Files etc |
AccelOps Windows Agent (HTTPS): W3C
Access logs – Per instance Per Connection Sent Bytes, Received Bytes, Duration Snare Agent (syslog): W3C Access logs Correlog Agent (syslog): W3C Access logs |
Microsoft IIS for Windows
Microsoft IIS for Windows 2008 |
|
| Microsoft | ASP.NET | SNMP: Running
Processes |
SNMP or WMI: Process level resource usage
WMI: Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests etc |
Microsoft
ASP.NET |
||
| Microsoft | Internet
Authentication Server (IAS) |
SNMP: Running
Processes |
SNMP or WMI: Process level resource usage | AccelOps Windows Agent (HTTPS): AAA
logs – successful and failed authentication Snare Agent (syslog): AAA logs – successful and failed authentication Correlog Agent (syslog): AAA logs successful and failed authentication |
Microsoft
Internet Authentication Server (IAS) |
|
| Microsoft | HyperV Hypervisor | Powershell over winexe: Guest/Host CPU usage, Memory usage, Page fault, Disk Latency, Network usage | HyperV | |||
| Microsoft | Sharepoint Server | SNMP: Running
Processes |
SNMP or WMI: Process level resource usage | LOGBinder Agent: SharePoint logs – Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object
Import/Exports, Document views, Information Management Policy changes etc |
Microsoft
SharePoint |
|
| Microsoft | Exchange Server | SNMP: Running
Processes |
SNMP or WMI: Process level resource usage
WMI: Exchange performance metrics, Exchange error metrics, Exchange mailbox metrics, Exchange SMTP metrics, Exchange ESE Database, Exchange Database Instances, Exchange Mail Submission Metrics, Exchange Store Interface Metrics etc |
Microsoft
Exchange |
| Microsoft | ISA Server | SNMP: Running
Processes |
SNMP or WMI: Process level resource usage | AccelOps Windows Agent (HTTPS): W3C
Access logs – Per Connection – Sent Bytes, Received Bytes, Duration Snare Agent (syslog): W3C Access logs Correlog Agent (syslog): W3C Access logs |
Microsoft ISA
Server |
|
| Microsoft | PPTP VPN
Gateway |
AccelOps Windows Agent (HTTPS): VPN Access – successful and failed
Snare Agent (syslog): VPN Access successful and failed Correlog Agent (syslog): VPN Access successful and failed |
Microsoft
PPTP |
|||
| Microsoft | Office 365 | Not Applicable | Not Applicable | Office365 Management Activity API: Close to 500 event types for situations covering login, file access, user/group creation/modification, file creation/modifications | Microsoft
Office365 Audit Configuration |
|
| Motorola | AirDefense
Wireless IDS |
Syslog: Wireless IDS logs | Motorola
AirDefense |
|||
| Motorola | WiNG WLAN
Access Point |
Syslog: All system logs: User authentication,
Admin authentication, WLAN attacks, Wireless link health |
Motorola
WLAN |
|||
| Mikrotek | Mikrotech Switches and Routers | Host name, OS,
Hardware model, Serial number, Components |
SNMP: Uptime CPU utilization,
Network Interface metrics |
Mikrotek
Router |
||
| NetApp | DataONTAP based
Filers |
SNMP: Host name, OS, Hardware model,
Serial number, Network interfaces, Logical volumes, Physical Disks |
SNMP: CPU utilization, Network
Interface metrics, Logical Disk Volume utilization SNMP: Hardware component health, Disk health ONTAP API: Detailed NFS V3/V4, ISCSI, FCP storage IO metrics, Detailed LUN metrics, Aggregate metrics, Volume metrics, Disk performance metrics |
SNMP Trap: Over 150 alerts – hardware and software alerts | NetApp Filer | |
| Nimble | NimbleOS Storage | Host name, Operating system
version, Hardware model, Serial number, Network interfaces, Physical Disks, Components |
SNMP: Uptime, Network Interface metrics, Storage Disk Utilization
SNMP: Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency etc |
Nimble
Storage |
||
| Nessus | Vulnerability
Scanner |
Nessus API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category,
Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc |
Nessus
Vulnerability Scanner |
|||
| Nginx | Web Server | SNMP:
Application name |
SNMP: Application Resource Usage | Syslog: W3C access logs: per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration | Nginx Web
Server |
|
| Nortel | ERS Switches and
Routers |
SNMP: Host name, OS, Hardware model,
Serial number, Components |
SNMP: Uptime CPU/memory
utilization, Network Interface metrics/errors, Hardware Status |
Nortel ERS and Passport
Switch |
||
| Nortel | Passport Switches and Routers | SNMP: Host name, OS, Hardware model,
Serial number, Components |
SNMP: Uptime CPU/memory
utilization, Network Interface metrics/errors, Hardware Status |
Nortel ERS and Passport
Switch |
||
| Nutanix | Controller VM | SNMP: Host name, OS, Hardware model,
Serial number, Network interfaces, Physical Disks, Components |
SNMP: Uptime CPU/memory
utilization, Network Interface metrics/errors, Disk Status, Cluster Status, Service Status, Storage Pool Info, Container Info |
Nutanix | ||
| Okta.com | SSO | Okta API: Users | Okta API: Over 90 event types covering user activity in Okta website | Okta
Configuration |
||
| OpenLDAP | OpenLDAP | LDAP: Users |
| Oracle | Enterprise
Database Server – 10g, 11g, 12c |
SNMP or WMI: Process resource usage | JDBC: Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio etc
JDBC: Database Table space information: able space name, table space type, table space usage, table space free space, table space next extent etc JDBC: Database audit trail: Database logon, Database operations including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc. |
Syslog: Listener log, Alert log, Audit Log | Oracle
Database |
|
| Oracle | MySQL Server | SNMP or WMI:
Process resource usage |
JDBC: User Connections, Table
Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries etc JDBC: Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space etc JDBC: Database audit trail: Database log on, Database/Table CREATE/DELETE/MODIFY operations |
MySQL Server | ||
| Oracle | WebLogic
Application Server |
SNMP or WMI: Process resource usage | JMX: Availability metrics, Memory metrics, Servlet metrics, Database metrics, Thread pool metrics, EJB metrics, Application level metrics | Oracle
WebLogic |
||
| Oracle | Glassfish
Application Server |
SNMP or WMI: Process resource usage | JMX: Availability metrics, Memory metrics, Servlet metrics, Session metrics, Database metrics, Request processor metrics, Thread pool metrics, EJB metrics, Application level metrics, Connection metrics | Oracle
GlassFish Server |
||
| Oracle | Sun SunOS and
Solaris |
SNMP: OS,
Hardware, Software, Processes, Open Ports SSH: Hardware details |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging | Syslog: Situations covering Authentication
Success/Failure, Privileged logons, User/Group Modification |
Sun Solaris
Server |
|
| Palo Alto
Networks |
PAN-OS based
Firewall |
SNMP: Host name, OS, Hardware, Network
interfaces SSH: Configuration |
SNMP: Uptime, CPU utilization, Network Interface metrics, Firewall connection count | Syslog: Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs | SSH:
Configuration Change |
Palo Alto
Firewall |
| PulseSecure | PulseSecure VPN | Syslog: VPN events, Traffic events, Admin events | PulseSecure | |||
| Qualys | Vulnerability
Scanner |
Qualys API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category,
Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc |
Qualys
Vulnerability Scanner |
|||
| Qualys | Web Application
Firewall |
syslog (JSON formatted): web log analysis | Qualys Web
Application Firewall |
|||
| Rapid7 | NeXpose Vulnerability Scanner | Rapid7 NeXpose API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score,
Vulnerability Consequence etc |
Rapid7
NeXpose Vulnerability Scanner |
| Riverbed | Steelhead WAN
Accelerators |
SNMP: Host name, Software
version, Hardware model, Network interfaces |
SNMP: Uptime, CPU / Memory / Network Interface / Disk space
metrics, Process cpu/memory utilization SNMP: Hardware Status SNMP: Bandwidth metrics: (Inbound/Outbound Optimized Bytes – LAN side, WAN side, Connection metrics: Optimized/Pass through / Half-open optimized connections etc) SNMP: Top Usage metrics: Top source, Top destination, Top Application, Top Talker SNMP: Peer status: For every peer: State, Connection failures, Request timeouts, Max latency |
SNMP Trap: About 115 event types covering software errors, hardware errors, admin login, performance issues – cpu, memory, peer latency issues
Netflow: Connection statistics |
Riverbed
SteelHead WAN Accelerator |
|
| Redhat | Linux | SNMP: OS,
Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution |
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging | Syslog: Situations covering Authentication
Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring Agent: File integrity monitoring |
SSH: File integrity monitoring, Target file monitoring
Agent: File integrity monitoring |
Linux Server |
| Redhat | JBOSS Application
Server |
SNMP: Process
level CPU/Memory usage |
JMX: CPU metrics, Memory metrics,
Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics |
Redhat
JBOSS |
||
| Redhat | DHCP Server | SNMP: Process
level CPU/Memory usage |
Syslog: DHCP address release/renew events | Linux DHCP | ||
| Ruckus | Wireless LAN | SNMP: Controller host name, Controller hardware model, Controller network interfaces,
Associated WLAN Access Points |
SNMP: Controller Uptime, Controller
Network Interface metrics, Controller WLAN Statistics, Access Point Statistics, SSID performance Stats |
Ruckus WLAN | ||
| Snort | IPS | SNMP: Process
level CPU/Memory usage |
Syslog: Over 40K IPS Alerts
JDBC: Over 40K IPS Alerts – additional details including TCP/UDP/ICMP header and payload in the attack packet |
Snort IPS | ||
| Sophos | Sophos Endpoint
Security and Control |
SNMP Trap: Endpoint events including
Malware found/deleted, DLP events |
Sophos
Endpoint Security and Control |
|||
| Squid | Web Proxy | SNMP: Process
level CPU/Memory usage |
Syslog: W3C formatted access logs – per
HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration |
Squid Web
Proxy |
||
| Symantec | Symantec
Endpoint Protection |
Syslog: Over 5000 event types covering end
point protection events – malware/spyware/adware, malicious events |
Symantec
Endpoint Protection |
|||
| Symantec | DLP | |||||
| TrendMicro | Office scan | SNMP Trap: Over 30 event types covering
end point protection events – malware/spyware/adware, malicious events |
Trend Micro
OfficeScan |
|||
| TrendMicro | Intrusion Defense
Firewall (IDF) |
Syslog: Over 10 event types covering end point firewall events | Trend Micro
IDF |
|||
| TrendMicro | Deep Security
Manager |
Syslog: Over 10 event types covering end point protection events | ||||
| Tufin | SecureTrack | Syslog: Over 10 event types covering firewall policy management events | ||||
| Vasco | DigiPass | Syslog – Successful and Failed
Authentications, Successful and Failed administrative logons |
Vasco
DigiPass |
| VMware | VMware ESX and
VCenter |
VMWare SDK: Entire VMware hierarchy and dependencies Data Center,
Resource Pool, Cluster, ESX and VMs |
VMWare SDK: VM level: CPU, Memory, Disk, Network, VMware tool status
VMWare SDK: ESX level: CPU, Memory, Disk, Network, Data store VMWare SDK: ESX level: Hardware Status VMWare SDK: Cluster level: CPU, Memory, Data store, Cluster Status VMWare SDK: Resource pool level: CPU, Memory |
VMWare SDK: Over 800 VCenter events covering account creation, VM creation, DRS events, hardware/software errors | VMware Monitoring
Events |
|
| VMware | vShield | Syslog: Over 10 events covering permitted and denied connections, detected attacks | ||||
| VMware | VCloud Network and Security
(vCNS) Manager |
Syslog: Over 10 events covering various activities | ||||
| WatchGuard | Firebox Firewall | Syslog: Over 20 firewall event types | WatchGuard
Firebox Firewall |
|||
| Websense | Web Filter | Syslog: Over 50 web filtering events and web traffic logs | Websense
Web Filter |