Versions Compared

Version Old Version 6 New Version Current
Changes made by

rthornton

rthornton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Log type

Format in Reflector

Filter regex (include)

Filter comments

Notes

Apache Web Server

Syslog RFC 3164 (QRadar)

\tApacheLog\t

Set “Log Type” in log file policy as “Apache”.

Microsoft ADFS

Syslog RFC 3164 (QRadar)

AD FS/Admin

Microsoft Defender

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Windows Defender\/Operational

Microsoft DHCP

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVER

Replace MSSQLSERVER with instance name

Set “Log Type” in log file policy as “DHCP”.\tDHCPLog\t\d+\s\d+,\d{2}\/\d{02}\/\d{02},\d{2}:\d{02}:\d{02},

Microsoft DNS Server

Syslog RFC 3164 (QRadar)

\tMSDNSServer\t|Microsoft-Windows-DNSServer\/Audit

Set “Log Type” in log file policy as “DNS”.

Microsoft Exchange Parser

Syslog RFC 3164 (QRadar)

\tExchangeLog\t

“Custom” Log type specified in policy. Set as "ExchangeLog".

Microsoft IIS Server

Syslog RFC 3164 (QRadar)

\tIISWebLog\t

Set “Log Type” in log file policy as “IIS”.

Microsoft Windows Powershell

Syslog RFC 3164 (QRadar)

Microsoft-Windows-PowerShell\/Operational.*4104

Microsoft Windows Snare Application

Syslog RFC 3164 (QRadar)

\t(Application|Security|System)\t\tMSWinEventLog\t

One desitnation and policy required for Security, Application and System

Microsoft Windows Snare Security

Syslog RFC 3164 (QRadar)

\t(Application|Security|System)\t

See above

Microsoft Windows Snare System

Syslog RFC 3164 (QRadar)

\t(Application|Security|System)\t

See above

Microsoft Windows Sysmon

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Sysmon/Operational

Microsoft Windows Sysmon

Syslog RFC 3164 (QRadar)

Microsoft-Windows-Sysmon/Operational

RADIUS_NPS

Syslog RFC 3164 (QRadar)

\tRadiusLog\t

“Custom” Log type specified in policy. Set as "RadiusLog".

Windows MSSQL Via Syslog SNARE

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVERReplace MSSQLSERVER with instance name

Windows MSSQL Via Syslog SNARE

Syslog RFC 3164 (QRadar)

MSSQL\$MICROSOFT##WID|MSSQLSERVER

Replace MSSQLSERVER with instance nameCEF


Note: A port for ingestion of each type will need to be created in Securonix first.

...