Content Comparison

Apache Web Server

Syslog RFC 3164 (QRadar)

\tApacheLog\t

Set “Log Type” in log file policy as “Apache”.

Microsoft ADFS

Syslog RFC 3164 (QRadar)

AD FS/Admin

Microsoft Defender

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Windows Defender\/Operational

Microsoft DHCP

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVER

Replace MSSQLSERVER with instance name

Set “Log Type” in log file policy as “DHCP”.

\tDHCPLog\t\d+\s\d+,\d{2}\/\d{02}\/\d{02},\d{2}:\d{02}:\d{02},

Microsoft DNS Server

Syslog RFC 3164 (QRadar)

\tMSDNSServer\t|Microsoft-Windows-DNSServer\/Audit

Set “Log Type” in log file policy as “DNS”.

Microsoft Exchange Parser

Syslog RFC 3164 (QRadar)

\tExchangeLog\t

“Custom” Log type specified in policy. Set as "ExchangeLog".

Microsoft IIS Server

Syslog RFC 3164 (QRadar)

\tIISWebLog\t

Set “Log Type” in log file policy as “IIS”.

Microsoft Windows Powershell

Syslog RFC 3164 (QRadar)

Microsoft-Windows-PowerShell\/Operational.*4104

Microsoft Windows Snare Application

Syslog RFC 3164 (QRadar)

\t(Application|Security|System)\t\tMSWinEventLog\t

One desitnation and policy required for Security, Application and System

Microsoft Windows Snare Security

Syslog RFC 3164 (QRadar)

\tMSWinEventLogt(Application|Security|System)\t

See above

Microsoft Windows Snare System

Syslog RFC 3164 (QRadar)

\tMSWinEventLogt(Application|Security|System)\t

See above

Microsoft Windows Sysmon

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Sysmon/Operational

Microsoft Windows Sysmon

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Sysmon/Operational

RADIUS_NPS

Syslog RFC 3164 (QRadar)

\tRadiusLog\t

“Custom” Log type specified in policy. Set as "RadiusLog".

Windows MSSQL Via Syslog SNARE

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVER

Replace MSSQLSERVER with instance name

Windows MSSQL Via Syslog SNARE

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVER

Replace MSSQLSERVER with instance nameCEF