QRadar supported DSMs

IBM® QRadar® can collect events from your security products by using a plug-in file that is called a Device Support Module (DSM).

QRadar can receive logs from systems and devices by using the Syslog protocol, which is a standard protocol. Supported DSMs can use other protocols, as mentioned in the Supported DSM table. You can try to configure third-party applications to send logs to QRadar through the Syslog protocol. For more information, see Adding a log source.

If you want to send logs by using a supported DSM that is not supported by the auto discovery feature in QRadar, you need to manually add a log source. For more information about adding a log source in QRadar, see Adding a log source.

What do you do if the product version or device you have is not listed in the DSM Configuration Guide?

Sometimes a version of a vendor product or a device is not listed as supported. If the product or device is not listed, follow these guidelines:

Version not listed
If the DSM for your product is officially supported by QRadar, but your product version is not listed in the IBM QRadar DSM Configuration Guide, you have the following options:
  • Try the DSM to see whether it works. The product versions that are listed in the guide are tested by IBM, but newer untested versions can also work.
  • If you tried the DSM and it didn’t work, open a support ticket for a review of the log source to troubleshoot and rule out any potential issues.
    Tip: In most cases, no changes are necessary, or perhaps a minor update to the IBM QRadar Identifier (QID) Map might be all that is required. Software updates by vendors might on rare occasions add or change event formats that break the DSM, requiring an RFE for the development of a new integration. This is the only scenario where an RFE is required.
Device not listed
When a device is not officially supported, you have the following options:
  • Open a request for enhancement (RFE) to have your device become officially supported.
    • Go to the QRadar SIEM RFE page (https://ibm.biz/BdRPx5).
    • Log in to the support portal page.
    • Click the Submit tab and type the necessary information.
      Tip: If you have event logs from a device, attach the event information and include the product version of the device that generated the event log.
  • Write a log source extension to parse events for your device. For more information, see Log source extensions and the DSM Editor.
  • You can use content extensions for sending events to QRadar that are provided by some third-party vendors. They can be found on the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/). These third-party DSM integrations are supported by the vendor, not by IBM.

The following table lists supported DSMs for third-party and IBM QRadar solutions.

Table 1. QRadar Supported DSMs
Manufacturer Device name and version Protocol Recorded events and formats Auto discovered? Includes identity? Includes custom properties?
3Com 8800 Series Switch V3.01.30 Syslog Status and network condition events Yes No No
AhnLab AhnLab Policy Center

AhnLabPolicy

CenterJdbc

Spyware detection

Virus detection

Audit

No Yes No
Akamai Akamai KONA

HTTP Receiver

Akamai Kona REST API

Event format: JSON

Recorded event types: All security events

No No No
Amazon

Amazon AWS CloudTrail

Amazon AWS S3 REST API

All version 1.0, 1.02, 1.03, and 1.04 events.

No No No
Amazon Amazon AWS Network Firewall Amazon AWS S3 REST API

Event format: JSON

Recorded event types: Firewall Alert logs, Firewall Flow logs

No No No
Amazon Amazon AWS Security Hub Amazon Web Services

Event format: JSON

Recorded event types: AWS Security Finding Format (ASFF)

No No No
Amazon Amazon AWS WAF Amazon AWS S3 REST API

Event format: JSON

Recorded event types: Traffic allow, Traffic block

No No No
Amazon Amazon GuardDuty Amazon Web Services

Amazon GuardDuty Findings

JSON

No No No
Ambiron TrustWave ipAngel V4.0 Syslog Snort-based events No No No
Apache HTTP Server V1.3+ Syslog, Syslog-ng HTTP status Yes No No
APC UPS Syslog Smart-UPS series events No No No
Apple Apple Mac OS X version 10.12 Syslog Firewall, web server access, web server error, privilege, and informational events No Yes No
Application Security, Inc. DbProtect V6.2, V6.3, V6.3sp1, V6.3.1, and v6.4 Syslog All events Yes No No
Arbor Networks Arbor Networks Pravail APS V3.1+ Syslog, TLS Syslog All events Yes No No
Arbor Networks Arbor Networks Peakflow SP V5.8 to V8.1.2 Syslog, TLS Syslog

Denial of Service (DoS)

Authentication

Exploit

Suspicious activity

System

Yes No No
Arpeggio Software SIFT-IT V3.1+ Syslog All events configured in the SIFT-IT rule set Yes No No
Array Networks SSL VPN ArraySP V7.3 Syslog All events No Yes Yes
Aruba Networks ClearPass Policy Manager V6.5.0.71095 and above Syslog LEEF Yes Yes No
Aruba Networks Mobility Controllers V2.5 + Syslog All events Yes No No
Avaya Inc. Avaya VPN Gateway V9.0.7.2 Syslog All events Yes Yes No
BalaBit IT Security MicrosoftWindows Security Event Log V4.x Syslog Microsoft Event Log events Yes Yes No
BalaBit IT Security Microsoft ISA V4.x Syslog and WinCollect Microsoft Event Log vents Yes Yes No
Barracuda Networks Spam & Virus Firewall V5.x and later Syslog All events Yes No No
Barracuda Networks Web Application Firewall V7.0.x Syslog System, web firewall, access, and audit events Yes No No
Barracuda Networks Web Filter V6.0.x+ Syslog Web traffic and web interface events Yes No No
BlueCat Networks Adonis V6.7.1-P2+ Syslog DNS and DHCP events Yes No No
Blue Coat SG V4.x+ Syslog, Log File Protocol All events No No Yes
Blue Coat Web Security Service   Blue Coat ELFF, Access No No No

Box

Box Box REST API

Event format: JSON

RTC 256758

Event types: Administrator and enterprise events, Box Shield Alerts

No Yes No
Bridgewater Systems AAA V8.2c1 Syslog All events Yes Yes No
Brocade Fabric OS V7.x Syslog System and audit events Yes No No
CA Access Control Facility V12 to V15 Log File Protocol All events No No Yes
CA SiteMinder Syslog All events No No No
CA Top Secret V12 to V15 Log File Protocol All events No No Yes
Centrify Centrify Identity Platform Centrify Redrock REST API

Event format: JSON

Event types: SaaS, Core, Internal and Mobile

No No No
Carbon Black Carbon Black V5.1 and later Syslog Watchlist hits Yes No No
Carbon Black Carbon Black Bit9 Parity Syslog LEEF Yes   No
Carbon Black Carbon Black Bit9 Security Platform V6.0.2 Syslog All events Yes Yes No
Centrify Centrify Identity Platform Centrify Redrock REST API

Event format: JSON

Event types: SaaS, Core, Internal and Mobile

No No No
Centrify Centrify Infrastructure Services 2017 Syslog and WinCollect WinCollect logs, Audit events Yes No No
Check Point

Check Point versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R75, R77, R80, and NGX

Syslog or OPSEC LEA Event format: LEEF (versions R77.30, R80.10, R80.20)

Event types: All events

Yes Yes Yes
Check Point VPN-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, and NGX Syslog or OPSEC LEA Event format: LEEF (versions R77.30, R80.10, R80.20)

Event types: All events

Yes Yes No
Check Point Check Point Multi-Domain Management (Provider-1) versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, and NGX Syslog or OPSEC LEA Event format: LEEF (versions R77.30, R80.10, R80.20)

Event types: All events

Yes Yes No
Cilasoft Cilasoft QJRN/400® V5.14.K+ Syslog IBM audit events Yes Yes No
Cisco 4400 Series Wireless LAN Controller V7.2 Syslog or SNMPv2 All events No No No
Cisco

Cisco CallManager 8.x, 11.5

Syslog Application events Yes No No
Cisco ACS V4.1 and later if directly from ACS V3.x and later if using ALE Syslog Failed Access Attempts Yes Yes No
Cisco Aironet V4.x+ Syslog Cisco Emblem Format Yes No No
Cisco ACE Firewall V12.2 Syslog All events Yes Yes No
Cisco Cisco AMP Cisco AMP

All security events

For a detailed list of supported events, go to the Cisco AMP for Endpoints API documentation. (https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v1)

Note: Network traffic is supported only for Data Flow Control (DCF) events.
No No No
Cisco ASA V7.x and later Syslog All events Yes Yes No
Cisco ASA V7.x+ NSEL Protocol All events No No No
Cisco CSA V4.x, V5.x and V6.x Syslog SNMPv1 SNMPv2 All events Yes Yes No
Cisco CatOS for catalyst systems V7.3+ Syslog All events Yes Yes No
Cisco Cloud Web Security (CWS) Amazon AWS S3 REST API

W3C

All web usage logs

No No No
Cisco Cisco Stealthwatch V6.8 Syslog

Event format: LEEF

Event types: Anomaly, Data Hoarding, Exploitation, High Concern, Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfilration, C&C

Yes No No
Cisco IPS V7.1.10 and later, V7.2.x, V7.3.x SDEE All events No No No
Cisco
  • Cisco IronPort V5.5, V6.5, V7.1, V7.5 (adds support for access logs)
  • Cisco IronPort ESA: V10.0
  • Cisco IronPort WSA: V10.0
Syslog, Log File protocol Event format: All events

Recorded event types:

Mail (syslog)

System (syslog)

Access (syslog)

Web content filtering (Log File)

No No No
Cisco

Cisco Firepower Management Center V5.2 to V6.4

(formerly known as Cisco FireSIGHT Management Center)

Cisco Firepower eStreamer protocol

Discovery events

Correlation and White List events

Impact Flag alerts

User activity

Malware events

File events

Connection events

Intrusion events

Intrusion Event Packet Data

Intrusion Event Extra Data

No No No
Cisco Cisco Firepower Threat Defense Syslog

Event format: Syslog, Comma-separated values (CSV), Name-value pair (NVP)

Recorded event types: Intrusion, Connection

Yes Yes No
Cisco Cisco Firewall Service Module (FWSM) v2.1+ Syslog All events Yes Yes Yes
Cisco Cisco Catalyst Switch IOS, 12.2, 12.5+ Syslog All events Yes Yes No
Cisco Cisco Meraki Syslog

Event format: Syslog

Event types:

Events

Flows

security_event_ids_alerted

Yes No No
Cisco Cisco NAC Appliance v4.x + Syslog Audit, error, failure, quarantine, and infected events No No No
Cisco Cisco Nexus v6.x Syslog Nexus-OS events Yes No No
Cisco Cisco PIX Firewall v5.x, v6.3+ Syslog Cisco PIX events Yes Yes Yes
Cisco

Cisco Identity Services Engine V1.1 to V2.2

UDP Multiline Syslog

Event format: Syslog

Event types: Device events

No Yes No
Cisco Cisco IOS 12.2, 12.5+ Syslog All events Yes Yes No
Cisco Cisco Umbrella Amazon AWS S3 REST API

Event format: Cisco Umbrella CSV

Event types: Audit

No No No
Cisco Cisco VPN 3000 Concentrator versions VPN 3005, 4.1.7.H Syslog All events Yes Yes Yes
Cisco Cisco Wireless Services Modules (WiSM) V 5.1+ Syslog All events Yes No No
Citrix Citrix NetScaler V9.3 to V10.0 Syslog All events Yes Yes No
Citrix Citrix Access Gateway V4.5 Syslog Access, audit, and diagnostic events Yes No No
Cloudera Cloudera Navigator Syslog Audit events for HDFS, HBase, Hive, Hue, Cloudera Impala, Sentry Yes No No
Cloudflare Cloudflare Logs Amazon AWS S3 REST API

Event format: JSON

Event types: HTTP events, Firewall events

Yes No No
CloudPassage CloudPassage Halo Syslog, Log file All events Yes No No
CrowdStrike CrowdStrike Falcon

Syslog

LEEF

Incident summary, Detection summary, Authentication, Detection status update, Uploaded IoCs, Network containment, IP whitelisting, Policy management, CrowdStrike store, Falcon firewall management, Real time response, Event streams

Yes No No
CorreLog CorreLog Agent for IBM z/OS® Syslog LEEF All events Yes No No
CRYPTOCard CRYPTO- Shield V6.3 Syslog All events No No No
CyberArk CyberArk Privileged Threat Analytics V3.1 Syslog Detected security events Yes No No
CyberArk CyberArk Vault V6.x Syslog All events Yes Yes No
CyberGuard Firewall/VPN KS1000 V5.1 Syslog CyberGuard events Yes No No
Damballa Failsafe V5.0.2+ Syslog All events Yes No No
Digital China Networks DCS and DCRS Series switches V1.8.7 Syslog DCS and DCRS IPv4 events No No No
DG Technology DG Technology MEAS Syslog LEEF Mainframe events Yes No No
ESET ESET Remote Administrator V6.4.270 Syslog

LEEF

Threat events

Firewall Aggregated Event

HIPS Aggregated Event

Audit events

Yes Yes No
Extreme Dragon V5.0, V6.x, V7.1, V7.2, V7.3, and V7.4 Syslog SNMPv1 SNMPv3 All relevant Extreme Dragon events Yes No No
Extreme 800-Series Switch Syslog All events Yes No No
Extreme Matrix Router V3.5 Syslog SNMPv1 SNMPv2 SNMPv3 SNMP and syslog login, logout, and login failed events Yes No No
Extreme NetSight Automatic Security Manager V3.1.2 Syslog All events Yes No No
Extreme Matrix N/K/S Series Switch V6.x, V7.x Syslog All relevant Matrix K-Series, N-Series and S-Series device events Yes No No
Extreme Stackable and Standalone Switches Syslog All events Yes Yes No
Extreme XSR Security Router V7.6.14.0002 Syslog All events Yes No No
Extreme HiGuard Wireless IPS 2R2.0.30 Syslog All events Yes No No
Extreme HiPath Wireless Controller 2R2.0.30 Syslog All events Yes No No
Extreme NAC 3.2 and 3.3 Syslog All events Yes No No
Enterprise-IT-Security.com SF-Sherlock 8.1 and later LEEF

All_Checks, DB2_Security_Configuration, JES_Configuration, Job_Entry_System_Attack, Network_Parameter, Network_Security, No_Policy, Resource_Access_Viol, Resource_Allocation, Resource_Protection, Running_System_Change, Running_System_Security, Running_System_Status, Security_Dbase_Scan, Security_Dbase_Specialty, Security_Dbase_Status, Security_Parm_Change, Security_System_Attack, Security_System_Software, Security_System_Status, SF-Sherlock, Sherlock_Diverse, Sherlock_Diverse, Sherlock_Information, Sherlock_Specialties, Storage_Management, Subsystem_Scan, Sysplex_Security, Sysplex_Status, System_Catalog, System_File_Change, System_File_Security, System_File_Specialty, System_Log_Monitoring, System_Module_Security, System_Process_Security, System_Residence, System_Tampering, System_Volumes, TSO_Status, UNIX_OMVS_Security, UNIX_OMVS_System, User_Defined_Monitoring, xx_Resource_Prot_Templ

Yes No No
Epic Epic SIEM, Versions Epic 2014, Epic 2015, and Epic 2017 LEEF Audit, Authentication Yes Yes No
Exabeam Exabeam 1.7 and 2.0 not applicable Critical, Anomalous Yes No No
Extreme Networks Extreme Ware 7.7 and XOS 12.4.1.x Syslog All events No Yes No
F5 Networks F5 Networks BIG-IP AFM 11.3 and 12.x to 14.x Syslog Network, network DoS, protocol security, DNS, and DNS DoS events Yes Yes No
F5 Networks F5 Networks BIG-IP LTM 9.42 to 14.x Syslog, CSV All events No Yes No
F5 Networks

F5 Networks BIG-IP ASM 10.1 to 14.x

Syslog

Event format: CEF (CEF:0 is supported)

Recorded event types: All security events

Yes Yes No
F5 Networks F5 Networks BIG-IP APM 10.x to 14.x Syslog All events Yes No No
F5 Networks FirePass 7.0 Syslog All events Yes Yes No
Fair Warning Fair Warning 2.9.2 Log File Protocol All events No No No
Fasoo Fasoo Enterprise DRM 5.0 JDBC NVP event format

Usage events

No No No
Fidelis Security Systems Fidelis XPS 7.3.x Syslog Alert events Yes No No
FireEye

FireEye CMS, MPS, EX, AX, NX, FX, and HX

Syslog, TLS Syslog

Event formats: CEF (CEF:0 is supported), LEEF

Recorded event types: All relevant events

Yes No No
FreeRADIUS FreeRADIUS 2.x Syslog All events Yes Yes No
Forcepoint Forcepoint Sidewinder 6.1

(formerly known as McAfee Firewall Enterprise 6.1)

Syslog Forcepoint Sidewinder audit events Yes No No
Forcepoint Stonesoft Management Center 5.4 to 6.1 Syslog Event format: LEEF

Event types: Management Center, IPS, Firewall, and VPN events

Yes No No

Forcepoint

Forcepoint TRITON 7.7, and 8.2

(formerly known as Websense)

Syslog

LEEF

Events for web content from several Forcepoint TRITON solutions, including Web Security, Web Security Gateway, Web Security Gateway Anywhere, and V-Series appliances.

All events

Yes No No

Forcepoint

Forcepoint V-Series Data Security Suite (DSS) 7.1x

(formerly known as Websense)

Syslog All events Yes Yes Yes

Forcepoint

Forcepoint V-Series Content Gateway V7.1x

(formerley known as Websense)

Log File Protocol All events No No No
ForeScout CounterACT 7.x and later Syslog Denial of Service, system, exploit, authentication, and suspicious events No No No
Fortinet

Fortinet FortiGate Security Gateway FortiOS 6.4 and earlier

Syslog

Syslog Redirect

All events Yes Yes Yes
Foundry FastIron 3.x.x and 4.x.x Syslog All events Yes Yes No
genua genugate 8.2+ Syslog General error messages

High availability

General relay messages

Relay-specific messages

genua programs/daemons

EPSI Accounting Daemon - gg/src/acctd

Configfw FWConfig

ROFWConfig

User-Interface

Webserver

Yes Yes No
Google Google Cloud Audit Logs Google Cloud Pub/Sub
Supported services:
  • Google Compute Engine
  • Identity Access Management
  • Identity Platform
  • Cloud Storage

Event format: JSON

Event types: Storage, list, update

Yes No No
Google Google Cloud Platform Firewall Google Cloud Pub/Sub

Event format: JSON

Event types: Firewall Allow, Firewall Deny

No No No
Google Google G Suite Activity Reports Google G Suite Activity Reports REST API

Event format: JSON

Recorded event types: Admin, drive, login, user accounts

No No No
Great Bay Beacon Syslog All events Yes Yes No
H3C Technologies

H3C Comware Platform, H3C Switches, H3C Routers, H3C Wireless LAN Devices, and H3C IP Security Devices

version 7 is supported

Syslog

NVP

System

No No No
HBGary Active Defense 1.2 and later Syslog All events Yes No No
HP Network Automation 10.11

Syslog

LEEF

All operational and configuration network events. Yes Yes No
HP ProCurve K.14.52

Syslog

All events Yes No No
HP Tandem Log File Protocol Safe Guard Audit file events No No No
HP UX V11.x and later Syslog All events No Yes No
Honeycomb Technologies Lexicon File Integrity Monitor mesh service V3.1 and later Syslog integrity events Yes No No
Huawei S Series Switch S5700, S7700, and S9700 using V200R001C00 Syslog IPv4 events from S5700, S7700, and S9700 Switches No No No
Huawei AR Series Router (AR150, AR200, AR1200, AR2200, and AR3200 routers using V200R002C00) Syslog IPv4 events No No No
IBM IBM AIX® V6.1 and V7.1 Syslog, Log File Protocol Configured audit events Yes No No
IBM IBM AIX 5.x, 6.x, and v7.x Syslog Authentication and operating system events Yes Yes No
IBM

IBM BigFixV8.2.x to 9.5.2

(formerly known as Tivoli EndPoint Manager)

IBM BigFix® SOAP Protocol Server events No Yes No
IBM IBM BigFix Detect
Note: The IBM BigFix Detect DSM for QRadar is deprecated.
         
IBM IBM Bluemix® Platform Syslog, TLS Syslog All System (Cloud Foundry) events, some application events Yes No No
IBM

IBM Cloud® Identity

(now known as IBM Security Verify

         
IBM IBM DLC Metrics Syslog, Forwarded Event format: LEEF

Recorded event types: All DLC Metrics event types

Yes No No
IBM IBM Federated Directory Server V7.2.0.2 and later LEEF FDS Audit Yes No No
IBM IBM Guardium® 8.2p45 Syslog Policy builder events No No No
IBM IBM i DSM V5R4 and later

(formerly known as AS/400iSeries)

Log File Protocol Event format: CEF (CEF:0 is supported)

Recorded event types: All security events

No Yes No
IBM IBM i - Robert Townsend Security Solutions V5R1 and later

(formerly known as AS/400iSeries)

Syslog Event format: CEF (CEF:0 is supported) Yes Yes No
IBM IBM i - Powertech Interact V5R1 and later

(formerly known as AS/400iSeries)

Syslog Event format: CEF (CEF:0 is supported) Yes Yes No
IBM ISS Proventia M10 v2.1_2004.1122_15.13.53 SNMP All events No No No
IBM Lotus® Domino® v8.5 SNMP All events No No No
IBM Proventia Management SiteProtector v2.0 and v2.9 JDBC IPS and audit events No No No
IBM RACF® v1.9 to v1.13 Log File Protocol All events No No Yes
IBM CICS® v3.1 to v4.2 Log File Protocol All events No No Yes
IBM DB2® v8.1 to v10.1 Log File Protocol All events No No Yes
IBM

IBM DataPower® FirmwareV6 and V7

(formerly known as WebSphere® DataPower)

Syslog All events Yes No No

IBM

IBM Fiberlink® MaaS360®

LEEF

Compliance rule events

Device enrollment events

Action history events

No

Yes

No

IBM IBM QRadar Packet Capture

IBM QRadar Packet Capture V7.2.3 to V7.2.8

IBM QRadar Network Packet Capture V7.3.0

Syslog, LEEF All events Yes No No
IBM IBM SAN Volume Controller Syslog CADF event format

Activity, Control, and Monitor audit events

Yes No No
IBM z/OS v1.9 to v1.13 Log File Protocol All events No No Yes
IBM Informix® v11 Log File Protocol All events No No No
IBM IMS Log File Protocol All events No No No
IBM Security Access Manager for Mobile (ISAM) TLS Syslog
IBM_SECURITY_AUTHN

IBM_SECURITY_TRUST
IBM_SECURITY_RUNTIME
IBM_SECURITY_CBA_AUDIT
_MGMT
IBM_SECURITY_CBA_AUDIT
_RTE
IBM_SECURITY_RTSS_AUDI
T_AUTHZ
IBM_SECURITY_SIGNING
CloudOE
Operations
Usage
IDaaS Appliance Audit
IDaaS Platform Audit
Yes No No
IBM Security Identity Governance (ISIG) JDBC

NVP event format

Audit event type

No No No
IBM QRadar Network Security XGS v5.0 with fixpack 7 to v5.4 Syslog System, access, and security events Yes No No
IBM Security Network IPS (GX) v4.6 and later Syslog Security, health, and system events Yes No No
IBM Security Privileged Identity Manager V1.0.0 to V2.1.1 JDBC Audit, authentication and system events No No No
IBM Security Identity Manager 6.0.x and later JDBC Audit and recertification events No Yes No
IBM IBM Security Trusteer® HTTP Receiver Event format: JSON

Event types: Trusteer alerts

Yes No No
IBM IBM Security Trusteer Apex™ Advanced Malware Protection Syslog/LEEF

Log File Protocol

Malware Detection

Exploit Detection

Data Exfiltration Detection

Lockdown for Java™ Event

File Inspection Event

Apex Stopped Event

Apex Uninstalled Event

Policy Changed Event

ASLR Violation Event

ASLR Enforcement Event

Password Protection Event

Yes Yes No

IBM

IBM Sense v1

Syslog

LEEF

Yes

No

No

IBM IBM SmartCloud Orchestrator v2.3 FP1 and later IBM SmartCloud Orchestrator REST API Audit Records No Yes No
IBM IBM Security Verify

(formerly known as IBM Cloud Identity)

JSON Authentication, SSO, Management No Yes Yes
IBM Tivoli® Access Manager IBM Web Security Gateway v7.x Syslog audit, access, and HTTP events Yes Yes No
IBM

Tivoli Endpoint Manager

(now known asIBM BigFix)

         
IBM WebSphere Application Server v5.0 to v8.5 Log File Protocol All events No Yes No
IBM

WebSphere DataPower

(now known as DataPower)

WebSphere DataPower
         
IBM zSecure Alert v1.13.x and later UNIX syslog Alert events Yes Yes No
IBM Security Access Manager v8.1 and v8.2 Syslog Audit, system, and authentication events Yes No No
IBM Security Directory Server v6.3.1 and later Syslog LEEF All events Yes Yes No
Illumio Illumio Adaptive Security Platform Syslog

LEEF

Audit

Traffic

Yes No No
Imperva Incapsula LEEF Access events and Security alerts Yes No No
Imperva SecureSphere v6.2 and v7.x to v13 Release Enterprise Edition (Syslog)

SecureSphere v9.5 to v13 (LEEF)

Syslog

LEEF

Firewall policy events Yes No No
Infoblox NIOS Infoblox NIOS 6.x to 8.x Syslog ISC Bind

Linux® DHCP

Linux Server

Apache

No Yes No
Internet Systems Consortium (ISC)

ISC BIND 9.9, 9.11, 9.12

Syslog All events Yes No No
Intersect Alliance SNARE Enterprise Windows Agent Syslog Microsoft Event Logs Yes Yes No
iT-CUBE agileSI 1.x SMB Tail AgileSI SAP events No Yes No
Itron Openway Smart Meter Syslog All events Yes No No
Juniper Networks AVT JDBC All events No No Yes
Juniper Networks DDoS Secure

Juniper Networks DDoS Secure is now known as NCC Group DDoS Secure.

      No No
Juniper Networks DX

The Juniper Networks DX Platform product is end of life (EOL), and is no longer supported by Juniper.

Syslog Status and network condition events Yes No Yes
Juniper Networks Infranet Controller

The Juniper Networks Infranet Controller DSM for IBM QRadar is now known as Pulse Secure Infranet Controller.

         
Juniper Networks Firewall and VPN v5.5r3 and later Syslog NetScreen Firewall events Yes Yes Yes
Juniper Networks Junos WebApp Secure v4.2.x Syslog Incident and access events Yes No No
Juniper Networks IDP v4.0, v4.1 & v5.0 Syslog NetScreen IDP events Yes No Yes
Juniper Networks Network and Security Manager (NSM) and Juniper SSG v2007.1r2 to 2007.2r2, 2008.r1, 2009r1.1, 2010.x Syslog NetScreen NSM events Yes No Yes
Juniper Networks

Junos OS 7.x to 10.x Ex Series

Ethernet Switch DSM only supports 9.0 to 10.x

Syslog or PCAP Syslog*** All events Yes** Yes Yes
Juniper Networks

Secure Access

Juniper Networks Secure Access is now known as Pulse Secure Pulse Connect Secure.

        Yes
Juniper Networks

Juniper Security Binary Log Collector

SRX or J Series appliances at 12.1 or above

Binary Audit, system, firewall, and IPS events No No Yes
Juniper Networks Steel-Belted Radius 5.x Log File All events Yes Yes Yes
Juniper Networks vGW Virtual Gateway 4.5

The Juniper Networks vGW Virtual Gateway product is end of life (EOL), and is no longer supported by Juniper.

Syslog Firewall, admin, policy and IDS Log events Yes No No
Juniper Networks

Wireless LAN Controller

Wireless LAN devices with Mobility System Software (MSS) V7.6 and later

Syslog All events Yes No No
Kaspersky Security Center 9.2 JDBC, LEEF Antivirus, server, and audit events No Yes No
Kaspersky Kaspersky CyberTrace Syslog

Event format: LEEF

Event types: defect, status, evaluation

Yes No No
Kubernetes Kubernetes Auditing

Supported version: Kubernetes API 1.16

Syslog

Event format: JSON

Event types: RequestReceived, ResponseStarted, ResponseComplete

Yes No Yes
Kisco Kisco Information Systems SafeNet/i 10.11 Log File All events No No No
Lastline Lastline Enterprise 6.0 LEEF Anti-malware Yes No No
Lieberman Random Password Manager 4.8x Syslog All events Yes No No
LightCyber LightCyber Magna 3.9 Syslog, LEEF C&C, exfilt, lateral, malware and recon Yes No No
Linux Open Source Linux OS 2.4 and later Syslog Operating system events Yes Yes No
Linux DHCP Server 2.4 and later Syslog All events from a DHCP server Yes Yes No
Linux IPtables kernel 2.4 and later Syslog Accept, Drop, or Reject events Yes No No
McAfee McAfee Application / Change Control v4.5.x JDBC Change management events No Yes No
McAfee

McAfee ePolicy Orchestrator 3.5 to 5.10

JDBC: 3.5 to 5.9

SNMPv1, SNMPv2, SNMPv3: 3.5 to 5.9

TLS Syslog: 5.10

AntiVirus events No No No
McAfee McAfee MVISION Cloud 2.4 and 3.3

(formerly known as Skyhigh Networks Cloud Security Platform)

Syslog Event format:

Log Event Extended Format (LEEF)

Recorded event types:

Privilege Access, Insider Threat, Compromised Account, Access, Admin, Data, Policy, and Audit

Yes No No
McAfee

McAfee Network Security Platform 2.x - 5.x

(Formerly known as McAfee Intrushield)
Syslog Alert notification events Yes No No
McAfee

McAfee Network Security Platform 6.x - 7.x and 8.x - 10.x

(Formerly known as McAfee Intrushield)
Syslog Alert and fault notification events Yes No No
McAfee McAfee Web 6.0.0 and later Syslog, Log File Protocol All events Yes No No
MetaInfo MetaIP 5.7.00-6059 and later Syslog All events Yes Yes No
Microsoft Microsoft Azure Active Directory Microsoft Azure Event Hubs

Event format: JSON

Recorded event types: Sign-In logs, Audit logs

Yes No No
Microsoft

Microsoft Azure Platform Microsoft Azure Event Hubs

Event format: JSON

Recorded event types: Platform level activity logs

For more information about Platform level activity logs, see Azure Resource Manager resource provider operations (https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations).

Yes
Note: This DSM automatically discovers only Activity Log Events that are forwarded directly from the Activity Log to the Event Hub.
No No
Microsoft Microsoft Azure Security Center Microsoft Graph Security API

Event format: JSON

Recorded event types: Security alert

No No No
Microsoft DNS Debug

Supported versions:

Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2

WinCollect Microsoft DNS Debug LEEF Yes Yes No
Microsoft

IIS 6.0, 7.0 and 8.x

Syslog and WinCollect HTTP status code events Yes No No
Microsoft Internet and Acceleration (ISA) Server or Threat Management Gateway 2006 Syslog and WinCollect ISA or TMG events Yes No No
Microsoft Exchange Server 2003, 2007, 2010, 2013, and 2016 Windows Exchange Protocol

Outlook Web Access events (OWA)

Simple Mail Transfer Protocol events (SMTP

Message Tracking Protocol events (MSGTRK)

No No No
Microsoft Endpoint Protection 2012 JDBC Malware detection events No No No
Microsoft Microsoft Hyper-V

supported versions:

Windows Server 2016

Windows Server 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows Server 2008 Core

Windows 10 (most recent)

Windows 8 (most recent)

Windows 7 (most recent)

Windows Vista (most recent)

WinCollect All events No No No
Microsoft

IAS Server

v2000, 2003, and 2008

Syslog All events Yes No No
Microsoft Microsoft Office 365 Office 365 REST API JSON No No No
Microsoft Microsoft Office 365 Message Trace Office 365 Message Trace REST API

Event format: JSON

Event types: Email security threat classification

No No No
Microsoft Microsoft Windows Defender® ATP Windows Defender ATP REST API

Event format: JSON

Event types:

Windows Defender ATP

Windows Defender AV

Third Party TI

Customer TI

Bitdefender

No No No
Microsoft Microsoft Windows Security Event Log

supported versions:

Windows Server 2016

Windows Server 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows Server 2008 Core

Windows 10 (most recent)

Windows 8 (most recent)

Windows 7 (most recent)

Windows Vista (most recent)

Syslog

Forwarded

TLS Syslog

TCP Multiline Syslog

Windows Event Log (WMI)

Windows Event Log Custom (WMI)

MSRPC

WinCollect

WinCollect NetApp Data ONTAP

All events, including Sysmon and winlogbeats.json Yes Yes Yes
Microsoft

SQL Server 2008, 2012, 2014 (Enterprise editions only), and 2016

Syslog, JDBC and WinCollect SQL Audit events No No No
Microsoft

SharePoint 2010 and 2013

JDBC SharePoint audit, site, and file events No No No
Microsoft DHCP Server 2000/2003 Syslog and WinCollect All events Yes Yes No
Microsoft Operations Manager 2005 JDBC All events No No No
Microsoft System Center Operations Manager 2007 JDBC All events No No No
Motorola Symbol AP firmware 1.1 to 2.1 Syslog All events No No No
NCC Group NCC Group DDos 5.13.1-2s to 516.1-0 Syslog

Event format: LEEF

Event types: All events

Yes No No
Niara Niara 1.6 Syslog

Security

System

Internal Activity

Exfiltration

Infection

Command & Control

Yes No Yes
NetApp Data ONTAP Syslog CIFS events Yes Yes No
Netgate Netgate pfSense Syslog

System

Firewall

DNS

DHCP (when you use the Linux DHCP DSM)

Yes Yes No

Netskope

Netskope Active Netskope Active REST API Alert, All events No Yes No
NGINX NGINX HTTP Server 1.15.5 Syslog Syslog, Standard syslog Yes No No
Niksun NetVCR 2005 v3.x Syslog Niksun events No No No
Nokia Firewall NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later Syslog or OPSEC LEA All events Yes Yes No
Nokia VPN-1 NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later Syslog or OPSEC LEA All events Yes Yes No

Nominum

Note: The Nominum Vantio DSM for QRadar is deprecated.
Vantio v5.3        
Nortel Contivity Syslog All events Yes No No
Nortel Application Switch v3.2 and later Syslog Status and network condition events No Yes No
Nortel ARN v15.5 Syslog All events Yes No No
Nortel* Ethernet Routing Switch 2500 v4.1 Syslog All events No Yes No
Nortel* Ethernet Routing Switch 4500 v5.1 Syslog All events No Yes No
Nortel* Ethernet Routing Switch 5500 v5.1 Syslog All events No Yes No
Nortel Ethernet Routing Switch 8300 v4.1 Syslog All events No Yes No
Nortel Ethernet Routing Switch 8600 v5.0 Syslog All events No Yes No
Nortel VPN Gateway v6.0, 7.0.1 and later, v8.x Syslog All events Yes Yes No
Nortel Secure Router v9.3, v10.1 Syslog All events Yes Yes No
Nortel Secure Network Access Switch v1.6 and v2.0 Syslog All events Yes Yes No
Nortel Switched Firewall 5100 v2.4 Syslog or OPSEC All events Yes Yes No
Nortel Switched Firewall 6000 v4.2 Syslog or OPSEC All events Yes Yes No
Nortel Threat Protection System v4.6 and v4.7 Syslog All events No No No
Novell eDirectory v2.7 Syslog All events Yes No No
ObserveIT ObserveIT 5.7.x and later JDBC Alerts

User Activity

System Events

Session Activity

DBA Activity

No Yes No
Okta Okta Identity Management Okta REST API JSON No Yes No
Onapsis Onapsis Security Platform v1.5.8 and later Log Event Extended Format (LEEF)

Assessment

Attack signature

Correlation

Compliance

Yes No No
OpenBSD Project OpenBSD v4.2 and later Syslog All events No Yes No
Open LDAP Foundation Open LDAP 2.4.x UDP Multiline Syslog All events No No No
Open Source SNORT v2.x Syslog All events Yes No No
OpenStack OpenStack v2015.1 HTTP Reciever Audit events No No No
Oracle Oracle DB Audit versions 9i, 10g, 11g, 12c (includes unified auditing) JDBC, Syslog Event format: Name-Value Pair

Recorded event types: Audit records

Yes Yes No
Oracle Audit Vault V10.3 and V12.2 JDBC

All audit records from the AVSYS.AV$ALERT_STORE table for V10.3, or from the custom AVSYS.AV_ALERT_STORE_V view for V12.2.

No Yes No
Oracle

Oracle OS Audit 9i, 10g, and 11g

Syslog Event format: name-value pair (NVP)

Event types: Oracle events

Yes Yes No
Oracle Oracle BEA WebLogic 12.2.1.3.0 Log File Oracle events No No No
Oracle Oracle Database Listener 9i, 10g, and 11g Syslog Oracle events Yes No No
Oracle

Oracle Directory Server

(Formerly known as Sun ONE LDAP).

         
Oracle Oracle Fine Grained Auditing 9i and 10g JDBC Select, insert, delete, or update events for tables configured with a policy No No No
N/A osquery 3.3.2

Syslog

TCP Multiline Syslog

Event format: JSON

Event type: Access Audit Authentication System

No No Yes
OSSEC OSSEC 2.6 and later Syslog All relevant Yes No No
Palo Alto Networks

Palo Alto PA Series Pan-OS 3.0 to 9.1

 

Traffic

Threat

URL Filtering

Data

WildFire

Config

System

HIP Match

Authentication

User-ID

Tunnel Inspection

Correlation

SCTP

IP-Tag

Event formats: CEF for PAN-OS v4.0 to v6.1 (CEF:0 is supported)

LEEF for PAN-OS v3.0 to v9.1

Yes Yes No
Palo Alto Networks Palo Alto Endpoint Security Manager 3.4.2.17401 Syslog Agent

Config

Policy

System

Threat

Event formats: CEF (CEF:0 is supported), LEEF

Yes No No
Pirean Access: One 2.2 with DB2 9.7 JDBC Access management and authentication events No No No
PostFix Maifl Transfer Agent 2.6.6 and later UDP Multiline Protocol or Syslog Mail events No No No
ProFTPd ProFTPd 1.2.x, 1.3.x Syslog All events Yes Yes No
Proofpoint Proofpoint Enterprise Protection and Enterprise Privacy versions 7.0.2, 7.1, 7.2, 7.5, 8.0 Syslog

Log File

System, Email security threat classification, Email audit and encryption No No No
Pulse Secure Pulse Secure Infranet Controller 2.1, v3.1 and 4.0 Syslog All events No Yes Yes
Pulse Secure Pulse Secure Pulse Connect Secure 8.2R5

Syslog

TLS Syslog

Event formats:

Admin, Authentication, System, Network, Error

Event types:

All events

Yes Yes Yes
Radware AppWall 6.5.2 and 8.2 Syslog Event format: Vision Log

Recorded event types:

Administration

Audit

Learning

Security

System

Yes No No
Radware DefensePro 4.23, 5.01, 6.x and 7.x Syslog All events Yes No No
Raz-Lee iSecurity IBM i Firewall 15.7 and Audit 11.7 Syslog Security, compliance, firewall, and audit events Yes Yes No
Redback Networks ASE 6.1.5 Syslog All events Yes No No

Resolution1

Resolution1 CyberSecurity

Formerly known as AccessData InSight

Resolution1 CyberSecurity.
Log file

Volatile Data, Memory Analysis Data, Memory Acquisition Data, Collection Data, Software Inventory, Process Dump Data, Threat Scan Data, Agent Remediation Data

No No No
Riverbed SteelCentral NetProfiler JDBC Alert events No No No
Riverbed SteelCentral NetProfiler Audit Log file protocol Audit events No Yes No
RSA

Authentication Manager 6.x, 7.x, and 8.x

v6.x and v7.x use Syslog or Log File Protocol

v8.x uses Syslog only

All events No No No
SafeNet DataSecure 6.3.0 and later Syslog All events Yes No No
Salesforce Salesforce Security Auditing Log File Setup Audit Records No No No
Salesforce Salesforce Security Salesforce REST API Protocol

Login History

Account History

Case History

Entitlement History

Service Contract History

Contract Line Item History

Contract History

Contact History

Lead History

Opportunity History

Solution History

Salesforce Security Auditing audit trail

No Yes No
Samhain Labs HIDS 2.4

Syslog

JDBC

All events Yes No No
SAP SAP Enterprise Threat Detection sp6 SAP Enterprise Threat Detection Alert API LEEF No No No
Seculert Seculert v1 Seculert Protection REST API Protocol All malware communication events No No No
Seculert Seculert Seculert protection REST API Protoco All malware communication events No No No
Sentrigo Hedgehog 2.5.3 Syslog All events Yes No No
Skyhigh Networks

(now known as McAfee)

Skyhigh Networks Cloud Security Platform 2.4 and 3.3

(now known as McAfee MVISION Cloud 2.4 and 3.3)

         
SolarWinds SolarWinds Orion 2011.2 Syslog All events

No

No No
SonicWALL UTM/Firewall/VPN Appliance 3.x and later Syslog All events Yes No No
Sophos

Sophos Astaro Security Gateway 17.x

Syslog All events Yes No No
Sophos Sophos Enterprise Console 4.5.1 and 5.1

Sophos Enterprise Console protocol

JDBC

All events No No No
Sophos Sophos PureMessage 3.1.0.0 for Microsoft Exchange 5.6.0 for Linux JDBC Quarantined email events No No No
Sophos Sophos Web Security Appliance 3.x Syslog Transaction log events Yes No No
Sourcefire Sourcefire Intrusion Sensor IS 500, 2.x, 3.x, 4.x Syslog All events Yes No No
Sourcefire Sourcefire Defense Center

(Now known as Cisco FireSIGHT Mangement Center)

         
Splunk MicrosoftWindows Security Event Log Windows-based event provided by Splunk Forwarders All events No Yes No
Squid Squid Web Proxy 2.5 and later Syslog All cache and access log events Yes No No
Startent Networks Startent Networks Syslog All events Yes No No
STEALTHbits Technologies STEALTHbits File Activity Monitor Syslog LEEF File Activity Monitor Events      
STEALTHbits Technologies StealthINTERCEPT Syslog LEEF Active Directory Audit Events Yes No No
STEALTHbits Technologies STEALTHbits StealthINTERCEPT Alerts Syslog LEEF Active Directory Alerts Events Yes No No
STEALTHbits Technologies STEALTHbits StealthINTERCEPT Analytics Syslog LEEF Active Directory Analytics Events Yes No No
Sun Sun Solaris DHCP 2.8 Syslog All events Yes Yes No
Sun Sun Solaris OS 5.8, 5.9 Syslog All events Yes Yes No
Sun Sun Solaris Sendmail 2.x

Syslog

Log File Protocol

Proofpoint 7.5 and 8.0 Sendmail log

All events Yes No No
Sun Sun Solaris Basic Security Mode (BSM) 5.10 and 5.11 Log File Protocol All events No Yes No
Sun

Sun ONE LDAP v11.1

(Known as Oracle Directory Server)

Log File Protocol

UDP Multiline Syslog

All relevant access and LDAP events No No No
Sybase Sybase ASE 15.0 and later JDBC All events No No No
Symantec

Symantec Endpoint Protection 11, 12, and 14

Syslog All Audit and Security Logs Yes No Yes
Symantec Symantec SGS Appliance 3.x and later Syslog All events Yes No Yes
Symantec Symantec SSC 10.1 JDBC All events Yes No No
Symantec Symantec Data Loss Prevention (DLP) 8.x Syslog All events No No No
Symantec

Symantec Encryption Management Server 3.0x

formerly known as PGP Universal Server

Syslog All events Yes No No
Symark Symark PowerBroker 4.0 Syslog All events Yes No No
SysFlow is an open source project initiated by IBM. SysFlow 1.0 Syslog Event format: JSON

Recorded event types: SysFlow

Yes No No
ThreatGRID Malware Threat Intelligence Platform 2.0

Log file protocol

Syslog

Malware events No No No
TippingPoint

Intrusion Prevention System (IPS) 1.4.2 to 3.2.x

TippingPoint SMS 5.2.0

Syslog All events No No No
TippingPoint X505/X506 2.5 and later Syslog All events Yes Yes No
Top Layer IPS 5500 4.1 and later Syslog All events Yes No No
Trend Micro Trend Micro Apex Central (version 1) Syslog, TLS syslog Event format: CEF

Event types:

Attack discovery detection logs

Behavior monitoring logs

C&C callback logs

Content security logs

Data loss prevention logs

Device access control logs

Endpoint application control logs

Engine update status logs

Intrusion prevention logs

Network content inspection logs

Pattern Update Status Logs

Predictive machine learning logs

Sandbox detection logs

Spyware/Grayware logs

Suspicious file logs

Virus/Malware logs

Web security logs

Yes No No
Trend Micro Trend Micro Control Manager 5.0 or 5.5 with hotfix 1697 or hotfix 1713 after SP1 Patch 1; 6.0 and 7.0.

SNMPv1

SNMPv2

SNMPv3

All events Yes No No
Trend Micro

Trend Micro Deep Discovery Analyzer 5.0, 5.5, 5.8 and 6.0

Syslog

Event format: LEEF

Events: All events
Yes No No
Trend Micro Trend Micro Deep Discovery Director 3.0 Syslog Event format: LEEF

Events: Trend Micro Deep Discovery Inspector events

Yes No No
Trend Micro

Trend Micro Deep Discovery Email Inspector 3.0

Syslog

Event format: LEEF

Events: Detections, Virtual Analyzer Analysis logs, System events, Alert events
Yes No No
Trend Micro Trend Micro Deep Discovery Inspector 3.0 to V3.8, 5.0 and 5.1 Syslog

Event format: LEEF

Events:

Malicious content

Malicious behavior

Suspicious behavior

Exploit

Grayware

Web reputation

Disruptive application

Sandbox

Correlation

System

Update

Yes No No
Trend Micro

Trend Micro Deep Security 9.6.1532, 10.0.1962 and 10.1

Syslog

Event format: LEEF

Events:

Anti-Malware

Deep Security

Firewall

Integrity Monitor

Intrusion Prevention

Log Inspection

System

Web Reputation

Yes No No
Trend Micro Trend Micro Office Scan 8.x and 10.x SNMPv2 All events No No No
Tripwire Tripwire Enterprise Manager 5.2 and later Syslog

Event format: CEF (CEF:0 is supported)

Event types: Resource additions, removal, and modification events

Yes No No
Tropos Networks Tropos Control 7.7 Syslog Fault management, login/logout, provision, and device image upload events No No No
Trusteer Apex Local Event Aggregator 1304.x and later Syslog Malware, exploit, and data exfiltration detection events Yes No No

Vectra Networks

Vectra Networks Vectra v2.2

Syslog

Host scoring, command and control, botnet activity, reconaissance, lateral movement, exfiltration

Event format: CEF (CEF:0 is supported)

Yes

No

No

Verdasys

Digital Guardian 6.0.x (Syslog only)

Digital Guardian 6.1.1 and 7.2 (LEEF only)

Syslog Event format: LEEF

Events: All events

Yes No No
Vericept Content 360 up to 8.0 Syslog All events Yes No No
VMware VMware AppDefense 1.0

JSON

VMWare AppDefense API protocol

All events No No No
VMware Carbon Black App Control 8.0.x to 8.5.x

(Formerly known as Carbon Black Protection)

Syslog Event format: LEEF

Event types: computer management, server management, session management, policy management, policy enforcement, internal events, general management, discovery

Yes Yes No
VMware VMware ESX or ESXi 3.x, 4.x, 5.x and 6.x

Syslog

EMC VMware protocol

Account Information

Notice

Warning

Error

System Informational

System Configuration

System Error

User Login

Misc Suspicious Event

Access Denied

License Expired

Information

Authentication

Session Tracking

Yes if syslog No No
VMware VMware vCenter v5.x EMC VMware protocol

Account Information

Notice

Warning

Error

System Informational

System Configuration

System Error

User Login

Misc Suspicious Event

Access Denied

License Expired

Information

Authentication

Session Tracking

No No No
VMware VMware vCloud Director 5.1 - 10.0 VMware vCloud Director protocol All events No Yes No
VMware VMware vShield Syslog All events Yes No No
Vormetric, Inc. Vormetric Data Security Syslog (LEEF)

Audit

Alarm

Warn

Learn Mode

System

Yes No No
Watchguard WatchGuard Fireware OS Syslog All events Yes No No

Websense

(now known as Forcepoint)

           
Zscaler Zscaler Nanolog Streaming Service (Zscaler NSS) 6.0 Syslog Event format: LEEF

Event types: Web log events, Firewall events

Yes No No