Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must open the appropriate ports on your firewall. If you configure TLS for your security sensors, you must open TCP ports instead.
Sensors listen on UDP port 514 by default. They then analyze the logs to determine the source device. If the logs are in a standard format, such as CEF or LEEF, we strongly recommend that you forward to the port specific to the format, even if there is a vendor-specific ingestion port. Our vendor-specific ingestion is for the syslog format.
By sending the logs to the appropriate ingestion port instead of port 514, you:
When deciding where to forward your logs:
Following are the ports for standard formats. Use the dev_type
field in the Interflow to find the logs when threat hunting in the specified index. When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (source IP address), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.
Standard | Port | dev_type | Index | Comments |
---|---|---|---|---|
CEF | 5143 | cef_device_vendor | Windows Events (cef_device_vendor: ManageEngine and cef_device_product: ADAuditPlus), ML IDS/Malware Detection (dev_type: threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) | We recommend you use CEF if available |
CEF2 | 5175 | cef_device_vendor | Traffic (source IP address), Syslog (otherwise) | - |
Generic capture | 5201 | generic_capture | Syslog | - |
Generic syslog | 514 | - | - | Use only if you must use a log forwarder |
HTTP JSON | 5200 | httpjson | Syslog | |
JSON stream | 5142 | json | Syslog | - |
JSON beats | 5044 | beats | Syslog | - |
LEEF | 5522 | vendor | Traffic (source IP address), Syslog (otherwise) | We recommend you use LEEF if available |
RFC 3164 | 5140 | - | Syslog | - |
RFC 5424 | 5141 | - | Syslog | - |
Following are the ports for specific devices. Use the dev_type
field in the Interflow to find the logs when threat hunting in the specified index. When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for Calyptix is ML IDS/Malware Detection (IDS signature), Traffic (source IP address), Syslog (otherwise). This means that the index will be ML IDS/Malware detection if an IDS signature is detected, Traffic if a source IP address is detected, or Syslog if neither of them are detected, in that order.
evice | Port | Interflow dev_type | Index |
---|---|---|---|
Accops | 5526 | accops | Traffic (srcip), Syslog (otherwise) |
Access Manager | 5167 | access_manager | Syslog |
AhnLab TrusGuard | 5558 | ahnlab_trusguard | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AhnLab Policy Center | 5571 | ahnlab_policy_center | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AirWatch (CEF) | 5143 | cef_device_vendor | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
AIX | 5523 | aix | Traffic (event_time: time format of hour:minute:second), Syslog (otherwise) |
Aliyun | 5545 | aliyun | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Array Networks Secure Access Gateway | 5537 | array_sag | Traffic (srcip), Syslog (otherwise) |
Aruba Switch | 5577 | aruba_switch | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Automox | 5183 | automox | Syslog |
Azure ATP (CEF) | 5143 | cef_device_vendor | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Azure MFA | 5528 | azure_mfa | Traffic (srcip), Syslog (otherwise) |
Barracuda CloudGen firewall | 5524 | barracuda_fw | ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
Barracuda email | 5559 | barracuda_email | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Barracuda Web Application Firewall | 5524 | barracuda_fw | ML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise) |
BlackBerry CylancePROTECT | 5177 | cylance | Syslog |
BlueCoatProxySG | 5576 | bluecoat_proxysg | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Brocade switch | 5548 | brocade_switch | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Calyptix UTM | 5161 | calyptix | ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise) |
Centrify | 5165 | centrify | Syslog |
CheckPoint firewall | 5519 | fw_checkpoint | Traffic (srcip), Syslog (otherwise) |
CheckPoint 730/750 appliance | 5174 | fw_checkpoint_appliance | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco ASA | 5518 | fw_cisco_asa | Traffic (srcip), Syslog (otherwise) |
Cisco CUCM | 5532 | cisco_cucm | Syslog |
Cisco ESA | 5562 | cisco_esa | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Firepower | 5168 | ips_fire_power | Traffic (srcip), Syslog (otherwise) |
Cisco IronPort | 5163 | cisco_ironport | Syslog |
Cisco IKE | 5176 | ciscovpn | Syslog |
Cisco ISE | 5157 | ciscoise | Syslog |
Cisco MDS | 5563 | cisco_mds | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco Meraki | 5172 | meraki | Traffic (srcip), Syslog (otherwise) |
Cisco Netflow | 2055 | netflow | Syslog |
Cisco routers and switches | 5158 | cisco_router_switch | Syslog |
Cisco Umbrella | 5521 | cisco_umbrella | Syslog |
Cisco VPN | 5156 | ciscovpn | Syslog |
Cisco UCS | 5579 | cisco_ucs | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Cisco WLC | 5531 | cisco_wlc | Syslog |
Citrix NetScaler | 5166 | netscaler | Syslog |
CoreLight | 5575 | corelight_sensor | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
CrowdStrike (CEF) | 5143 | crowdstrike | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
CrowdStrike (beats) | 5044 | crowdstrike | Syslog |
DBSafer | 5181 | dbsafer | Syslog |
Dell iDRAC | 5566 | dell_idrac | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Dell Switch | 5578 | dell_switch | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
DHCPD | 5554 | dhcpd | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
D-Link | 5189 | dlink | Traffic (srcip), Syslog (otherwise) |
Dragos (CEF) | 5539 | dragos | Traffic (srcip), Syslog (otherwise) |
ExtraHop (CEF) | 5143 | extrahop | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP ASM | 5162 | f5_big_ip | ML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
F5 BIG-IP Telemetry | 5200 | f5_big_ip | Syslog |
F5 IPI | 5536 | f5_threat_intelligence | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
F5 iRule | 5536 | f5_irule | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
F5 L7 DDOS | 5536 | f5_l7ddos | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
F5 Mitigation | 5536 | f5_ddos | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
F5 NGINX | 5151 | nginx | Syslog |
F5 Silverline | 5536 | f5_silverline | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
F5 VPN | 5187 | f5_vpn | Syslog |
F5 WAF | 5536 | f5_waf | ML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise) |
FatPipe Networks SD-WAN | 5583 | fatpipe_sd_wan | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Forcepoint Web Security (CEF) | 5143 | cef_device_vendor | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
ForeScout | 5154 | forescout | Syslog |
Fortinet FortiGate | 5517 | fw_fortigate | Traffic (action), Syslog (otherwise) |
Fortinet FortiAnalyzer | 5542 | forti-analyzer | Syslog |
Graylog | 5569 | graylog | Windows Events (winlogevent), ML IDS/Malware (threat), Traffic(srcip,srcport,dstip,dstport, and proto), Syslog(otherwise) |
Hewlett Packard UNIX | 5585 | hp-ux | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Hillstone | 5514 | fw_hillstone | Traffic (log_type: traffic), Syslog (otherwise) |
Indusface Web Application Firewall | 5582 | indusface_waf | ML IDS / Malware (threat), Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Jsonar Database Security Tool | 5586 | jsonar_db_security_tool | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Juniper SSG | 5516 | fw_juniper_ssg | Traffic (srcip), Syslog (otherwise) |
Juniper SRX | 5173 | fw_juniper_srx | Traffic (srcip), Syslog (otherwise) |
Linux server | 514 | - | - |
Linux syslog | 5555 | linux_syslog | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Mailboarder Agent | 5580 | mailboarder_agent | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Mako Networks firewall | 5547 | mako_fw | Traffic (srcip), Syslog (otherwise) |
ManageEngine (CEF) | 5143 | manageengine | Windows Events (cef_device_vendor: ManageEngine and cef_device_product: ADAuditPlus), ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
McAfee Advanced Threat Defense | 5584 | mcafee_atd | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
McAfee ePolicy Orchestrator | 5533 | mcafee_epo | Traffic (srcip), Syslog (otherwise) |
McAfee firewall | 5169 | mcafeefirewall | Traffic (srcip), Syslog (otherwise) |
McAfee Network Security | 5527 | mcafee_ns | Traffic (srcip), Syslog (otherwise) |
Microsoft IIS (JSON) | 5142 | json | Syslog |
MikroTik | 5553 | mikrotik | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
MONITORAPP | 5535 | monitor_app | Traffic (srcip), Syslog (otherwise) |
Netfilter | 5544 | netfilter | Traffic (srcip), Syslog (otherwise) |
NetFlow | 2055 | netflow | Syslog |
NetIQ Access Manager | 5167 | access_manager | Syslog |
NetIQ Advanced Authentication (MFA) (CEF) | 5143 | cef_device_vendor | Windows Events |
NetIQ eDirectory (CEF) | 5143 | cef_device_vendor | Windows Events |
NetIQ Identity Manager (CEF) | 5143 | cef_device_vendor | Windows Events |
NetIQ SecureLogin | 5164 | openldap_style | Syslog |
NetIQ SSO | 5171 | netiqsso | Syslog |
OneLogin | 5581 | one_login | Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise) |
Open LDAP | 5164 | openldap_style | Syslog |
OpenShift | 5573 | redhat_openshift | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Oracle DB | 5170 | oracle | Traffic (srcip), Syslog (otherwise) |
Palo Alto firewall | 5515 | fw_palo_alto | Traffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise) |
Palo Alto Panorama | 5515 | fw_palo_alto | Syslog |
Palo Alto traps (CEF) | 5143 | cef_device_vendor | Windows Events |
Penta Security WAPPLES | 5560 | penta_security_wapples | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
pfSense | 5543 | pfsense_fw | Syslog |
Privacy-i | 5178 | privacy | Syslog |
Proofpoint | 5160 | proofpoint | Syslog |
PrintChaser | 5179 | printchaser | Syslog |
Pulse Secure | 5534 | pulse_secure | Syslog |
Rapid7 | 5153 | rapid7 | Syslog |
RSA Authentication Manager | 5184 | rsa_auth | Syslog |
SafePC | 5180 | safepc | Syslog |
SECUI | 5561 | secui_fw | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
SECUI MF2 Firewall | 5570 | secui_mf2 | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Security Strategy Research (SSR) Metieye | 5572 | ssr_metieye | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sentinel One (CEF2) | 5175 | cef_device_vendor | Traffic (srcip), Syslog (otherwise) |
Sniper IPS | 5182 | sniperips | Traffic (srcip), Syslog (otherwise) |
SonicWall firewall | 5152 | sonicfw | ML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise) |
SonicWall VPN | 5556 | sonicwall_vpn | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos | 5530 | sophos | Traffic (endpoint_type: traffic), ML IDS/Malware (endpoint_type: threat), Syslog (endpoint_type: computer) |
Sophos endpoint | 5565 | ep_sophos | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Sophos firewall | 5520 | fw_sophos | Traffic (log_type: firewall), ML IDS/Malware (log_type: IDP, Anti-Virus, Anti-Spam, or content filtering), Traffic (srcip), Syslog (otherwise) |
Splunk Heavy Forwarder | 5188 | splunk_forwarder | Syslog |
Symantec Endpoint Protection | 5525 | symantec_ep | Traffic (srcip), Syslog (otherwise) |
Symantec Messaging Gateway | 5567 | symantec_messaging_gateway | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Symantec Web Security | 5155 | symantec | Syslog |
Trend Micro ApexOne | 5143 | trend_micro | Syslog |
Trend Micro Proxy | 5540 | trendmicro_proxy | Traffic (srcip), Syslog (otherwise) |
Tripwire Enterprise | 5186 | tripwire | Syslog |
Ubiquiti | 5552 | ubiquiti | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Versa Networks Firewall | 5568 | versa_networks_fw | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
VMware Carbon Black On-Prem EDR (CEF) | 5143 | cef_device_vendor | Windows Events |
VMWare ESXi | 5600 | vmware | Syslog |
VMware NSX-T Data Center | 5574 | vmware_nsx_t | Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
WatchGuard firewall security appliance | 5557 | watchguard_fw | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Winsips | 5538 | winsips | ML IDS/Malware (vendor.attack_name), Syslog (otherwise) |
Zix | 5185 | zix_mail | Traffic (srcip), Syslog (otherwise) |
Zscaler ZIA firewall | 5549 | zscaler_zia_fw | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZIA web | 5550 | zscaler_zia_web | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |
Zscaler ZPA | 5551 | zscaler_zpa | ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise) |