...
Log type | Format in Reflector | Filter regex (include) | Filter comments | Notes | |||
|---|---|---|---|---|---|---|---|
Apache Web Server | Syslog RFC 3164 (QRadar) | \tApacheLog\t | Set “Log Type” in log file policy as “Apache”. | ||||
Microsoft ADFS | Syslog RFC 3164 (QRadar) | AD FS/Admin | |||||
Microsoft Defender | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Windows Defender\/Operational | |||||
Microsoft DHCP | Syslog RFC 3164 (QRadar) | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | Set “Log Type” in log file policy as “DHCP”. | \tDHCPLog\t\d+\s\d+,\d{2}\/\d{02}\/\d{02},\d{2}:\d{02}:\d{02}, | ||
Microsoft DNS Server | Syslog RFC 3164 (QRadar) | \tMSDNSServer\t|Microsoft-Windows-DNSServer\/Audit | Set “Log Type” in log file policy as “DNS”. | ||||
Microsoft Exchange Parser | Syslog RFC 3164 (QRadar) | \tExchangeLog\t | “Custom” Log type specified in policy. Set as "ExchangeLog". | ||||
Microsoft IIS Server | Syslog RFC 3164 (QRadar) | \tIISWebLog\t | Set “Log Type” in log file policy as “IIS”. | ||||
Microsoft Windows Powershell | Syslog RFC 3164 (QRadar) | Microsoft-Windows-PowerShell\/Operational.*4104 | |||||
Microsoft Windows Snare Application | Syslog RFC 3164 (QRadar) | \t(Application|Security|System)\t\tMSWinEventLog\t | One desitnation and policy required for Security, Application and System | ||||
Microsoft Windows Snare Security | Syslog RFC 3164 (QRadar) | \t(Application|Security|System)\t | See above | ||||
Microsoft Windows Snare System | Syslog RFC 3164 (QRadar) | \t(Application|Security|System)\t | See above | ||||
Microsoft Windows Sysmon | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Sysmon/Operational | |||||
Microsoft Windows Sysmon | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Sysmon/Operational | |||||
RADIUS_NPS | Syslog RFC 3164 (QRadar) | \tRadiusLog\t | “Custom” Log type specified in policy. Set as "RadiusLog". | ||||
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 (QRadar) | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | ||||
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 (QRadar) | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance nameCEF |
Note: A port for ingestion of each type will need to be created in Securonix first.
...