Syslog Forwarding - Breach Detection System - Ports To Send To

Syslog Forwarding - Breach Detection System - Ports To Send To

Firewall Ports to Open for Log Ingestion

Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must open the appropriate ports on your firewall. If you configure TLS for your security sensors, you must open TCP ports instead.

Sensors listen on UDP port 514 by default. They then analyze the logs to determine the source device. If the logs are in a standard format, such as CEF or LEEF, we strongly recommend that you forward to the port specific to the format, even if there is a vendor-specific ingestion port. Our vendor-specific ingestion is for the syslog format.

By sending the logs to the appropriate ingestion port instead of port 514, you:

  • Speed up your data ingestion and log parsing, and increase sensor performance, because the sensor already knows the source device
  • Retain the correct log source, because logs received on port 514 have the source set to local when forwarded to the data processor

When deciding where to forward your logs:

  • If the logs are in a standard format, forward to the port for that standard. Even if we have a parser for that vendor.
  • If the logs are syslog, forward to the port for that vendor.

Standard Ports

Following are the ports for standard formats. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index. When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for LEEF is Traffic (source IP address), Syslog (otherwise). This means that the index will be Traffic if a source IP address is detected, or Syslog if not, in that order.

Standard

Port

dev_typeIndexComments
CEF5143cef_device_vendorWindows Events (cef_device_vendor: ManageEngine and cef_device_product: ADAuditPlus), ML IDS/Malware Detection (dev_type: threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)We recommend you use CEF if available
CEF25175cef_device_vendorTraffic (source IP address), Syslog (otherwise)-
Generic capture5201generic_captureSyslog-
Generic syslog514--Use only if you must use a log forwarder
HTTP JSON5200httpjsonSyslog 
JSON stream5142jsonSyslog-
JSON beats5044beatsSyslog-
LEEF5522vendorTraffic (source IP address), Syslog (otherwise)We recommend you use LEEF if available
RFC 31645140-Syslog-
RFC 54245141-Syslog-

Vendor Specific Ports

Following are the ports for specific devices. Use the dev_type field in the Interflow to find the logs when threat hunting in the specified index. When the DP processes the logs it decides the index based on the data in the logs. For example, in the table the Index for Calyptix is ML IDS/Malware Detection (IDS signature), Traffic (source IP address), Syslog (otherwise). This means that the index will be ML IDS/Malware detection if an IDS signature is detected, Traffic if a source IP address is detected, or Syslog if neither of them are detected, in that order.

evice

Port

Interflow dev_typeIndex
Accops5526accopsTraffic (srcip), Syslog (otherwise)
Access Manager5167access_managerSyslog
AhnLab TrusGuard5558ahnlab_trusguardML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AhnLab Policy Center5571ahnlab_policy_centerTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
AirWatch (CEF)5143cef_device_vendor

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

AIX5523aixTraffic (event_time: time format of hour:minute:second), Syslog (otherwise)
Aliyun5545aliyunML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Array Networks Secure Access Gateway5537array_sagTraffic (srcip), Syslog (otherwise)
Aruba Switch5577aruba_switchTraffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)
Automox5183automoxSyslog
Azure ATP (CEF)5143cef_device_vendorML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Azure MFA5528azure_mfaTraffic (srcip), Syslog (otherwise)
Barracuda CloudGen firewall5524barracuda_fwML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
Barracuda email5559barracuda_emailML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Barracuda Web Application Firewall5524barracuda_fwML IDS/Malware (sub_dev_type: fw_threat or fw_av), Traffic (srcip), Syslog (otherwise)
BlackBerry CylancePROTECT5177cylanceSyslog
BlueCoatProxySG5576bluecoat_proxysgTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Brocade switch5548brocade_switchML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Calyptix UTM5161calyptixML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise)
Centrify5165centrifySyslog
CheckPoint firewall5519fw_checkpointTraffic (srcip), Syslog (otherwise)
CheckPoint 730/750 appliance5174fw_checkpoint_applianceTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco ASA5518fw_cisco_asaTraffic (srcip), Syslog (otherwise)
Cisco CUCM5532cisco_cucmSyslog
Cisco ESA5562cisco_esaML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Firepower5168ips_fire_powerTraffic (srcip), Syslog (otherwise)
Cisco IronPort5163cisco_ironportSyslog
Cisco IKE5176ciscovpnSyslog
Cisco ISE5157ciscoiseSyslog
Cisco MDS5563cisco_mdsML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco Meraki5172merakiTraffic (srcip), Syslog (otherwise)
Cisco Netflow2055netflowSyslog
Cisco routers and switches5158cisco_router_switchSyslog
Cisco Umbrella5521cisco_umbrellaSyslog
Cisco VPN5156ciscovpnSyslog
Cisco UCS5579cisco_ucsTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Cisco WLC5531cisco_wlcSyslog
Citrix NetScaler5166netscalerSyslog
CoreLight5575corelight_sensorTraffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)
CrowdStrike (CEF)5143crowdstrikeML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
CrowdStrike (beats)5044crowdstrikeSyslog
DBSafer5181dbsaferSyslog
Dell iDRAC5566dell_idracTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Dell Switch5578dell_switchTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
DHCPD5554dhcpdML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
D-Link5189dlinkTraffic (srcip), Syslog (otherwise)
Dragos (CEF)5539dragosTraffic (srcip), Syslog (otherwise)
ExtraHop (CEF)5143extrahopML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP ASM5162f5_big_ipML IDS/Malware (IDS signature), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
F5 BIG-IP Telemetry5200f5_big_ipSyslog
F5 IPI5536f5_threat_intelligenceML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)
F5 iRule5536f5_iruleML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)
F5 L7 DDOS5536f5_l7ddosML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)
F5 Mitigation5536f5_ddosML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)
F5 NGINX5151nginxSyslog
F5 Silverline5536f5_silverlineML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)
F5 VPN5187f5_vpnSyslog
F5 WAF5536f5_wafML IDS/Malware (threat), Traffic (dstip), Syslog (otherwise)

FatPipe Networks SD-WAN

5583

fatpipe_sd_wan

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Forcepoint Web Security (CEF)5143cef_device_vendor

ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

ForeScout5154forescoutSyslog
Fortinet FortiGate5517fw_fortigateTraffic (action), Syslog (otherwise)
Fortinet FortiAnalyzer5542forti-analyzerSyslog
Graylog5569

graylog
microsoft_windows
fw_palo_alto

Windows Events (winlogevent), ML IDS/Malware (threat), Traffic(srcip,srcport,dstip,dstport, and proto), Syslog(otherwise)

Hewlett Packard UNIX

5585

hp-ux

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Hillstone5514fw_hillstoneTraffic (log_type: traffic), Syslog (otherwise)

Indusface Web Application Firewall

5582

indusface_waf

ML IDS / Malware (threat), Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Jsonar Database Security Tool

5586

jsonar_db_security_tool

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Juniper SSG5516fw_juniper_ssgTraffic (srcip), Syslog (otherwise)
Juniper SRX5173fw_juniper_srxTraffic (srcip), Syslog (otherwise)
Linux server514--
Linux syslog5555linux_syslogML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

Mailboarder Agent

5580

mailboarder_agent

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Mako Networks firewall5547mako_fwTraffic (srcip), Syslog (otherwise)
ManageEngine (CEF)5143manageengineWindows Events (cef_device_vendor: ManageEngine and cef_device_product: ADAuditPlus), ML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)

McAfee Advanced Threat Defense

5584

mcafee_atd

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

McAfee ePolicy Orchestrator5533mcafee_epoTraffic (srcip), Syslog (otherwise)
McAfee firewall5169mcafeefirewallTraffic (srcip), Syslog (otherwise)
McAfee Network Security5527mcafee_nsTraffic (srcip), Syslog (otherwise)
Microsoft IIS (JSON)5142jsonSyslog
MikroTik5553mikrotikML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
MONITORAPP5535monitor_appTraffic (srcip), Syslog (otherwise)
Netfilter5544netfilterTraffic (srcip), Syslog (otherwise)
NetFlow2055netflowSyslog
NetIQ Access Manager5167access_managerSyslog
NetIQ Advanced Authentication (MFA) (CEF)5143cef_device_vendorWindows Events
NetIQ eDirectory (CEF)5143cef_device_vendorWindows Events
NetIQ Identity Manager (CEF)5143cef_device_vendorWindows Events
NetIQ SecureLogin5164openldap_styleSyslog
NetIQ SSO5171netiqssoSyslog

OneLogin

5581

one_login

Traffic (srcip,srcport,dstip,dstport,proto), Syslog (otherwise)

Open LDAP5164openldap_styleSyslog
OpenShift5573redhat_openshiftTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Oracle DB5170oracleTraffic (srcip), Syslog (otherwise)
Palo Alto firewall5515fw_palo_altoTraffic (type: traffic), ML IDS/Malware (type: threat), Syslog (otherwise)
Palo Alto Panorama5515fw_palo_altoSyslog
Palo Alto traps (CEF)5143cef_device_vendorWindows Events
Penta Security WAPPLES5560penta_security_wapplesML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
pfSense5543pfsense_fwSyslog
Privacy-i5178privacySyslog
Proofpoint5160proofpointSyslog
PrintChaser5179printchaserSyslog
Pulse Secure5534pulse_secureSyslog
Rapid75153rapid7Syslog
RSA Authentication Manager5184rsa_authSyslog
SafePC5180safepcSyslog
SECUI5561secui_fwML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
SECUI MF2 Firewall5570secui_mf2Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Security Strategy Research (SSR) Metieye5572ssr_metieyeTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sentinel One (CEF2)5175cef_device_vendorTraffic (srcip), Syslog (otherwise)
Sniper IPS5182sniperipsTraffic (srcip), Syslog (otherwise)
SonicWall firewall5152sonicfwML IDS/Malware (IDS signature), Traffic (srcip), Syslog (otherwise)
SonicWall VPN5556sonicwall_vpnML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos5530sophosTraffic (endpoint_type: traffic), ML IDS/Malware (endpoint_type: threat), Syslog (endpoint_type: computer)
Sophos endpoint5565ep_sophosTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Sophos firewall5520fw_sophosTraffic (log_type: firewall), ML IDS/Malware (log_type: IDP, Anti-Virus, Anti-Spam, or content filtering), Traffic (srcip), Syslog (otherwise)
Splunk Heavy Forwarder5188splunk_forwarderSyslog
Symantec Endpoint Protection5525symantec_epTraffic (srcip), Syslog (otherwise)
Symantec Messaging Gateway5567symantec_messaging_gatewayTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Symantec Web Security5155symantecSyslog
Trend Micro ApexOne5143trend_microSyslog
Trend Micro Proxy5540trendmicro_proxyTraffic (srcip), Syslog (otherwise)
Tripwire Enterprise5186tripwireSyslog
Ubiquiti5552ubiquitiML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Versa Networks Firewall5568versa_networks_fwML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
VMware Carbon Black On-Prem EDR (CEF)5143cef_device_vendorWindows Events
VMWare ESXi5600vmwareSyslog
VMware NSX-T Data Center5574vmware_nsx_tTraffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
WatchGuard firewall security appliance5557watchguard_fwML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Winsips5538winsipsML IDS/Malware (vendor.attack_name), Syslog (otherwise)
Zix5185zix_mailTraffic (srcip), Syslog (otherwise)
Zscaler ZIA firewall5549zscaler_zia_fwML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZIA web5550zscaler_zia_webML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)
Zscaler ZPA5551zscaler_zpaML IDS/Malware (threat), Traffic (srcip, srcport, dstip, dstport, and proto), Syslog (otherwise)