You are looking for a list of signatures for SSIM Syslog type collectors
Article ID: 157379
Updated On:
Products
Issue/Introduction
You are looking for a list of signatures for SSIM Syslog type collectors.
Resolution
The following collectors:
- CyberGuard® Firewall/VPN,
- Nortel™ Contivity
- Tipping Point v4.2
- Tipping Point v4.3
- McAfee UTM Firewall
and others do not have signatures that are unique to the 3rd Party product. However, almost all Syslog sensor based collectors can be used in Syslog Director. But in some 3rd party products the events don't contain unique word which might be used as signature for Syslog Director Director. In this case, you can use an IP address or hostname of the device which will be included into the header of every Syslog event as Syslog Director signature. For example, if your device IP is 169.254.13.111, then all events will have a header similar to: Aug 19 17:16:03 169.254.13.111. So, each of events will have 169.254.13.111 in it and you can use this as signature. We have several collectors where we suggest using IP or hostname of the device as signature if their events don't have unique flag.
These following Syslog type collectors cannot be used with Syslog Director even if you add the IP address or Hostname:
- F5 Big-IP - It is recommended you do not try to use Syslog Director with this collector so no signatures are needed with this collector, .
The table below contains the signatures for current SSIM Collectors. This is meant to be a list of current Syslog Collectors signatures, but there might be newer Syslog type collectors that have been released since this table was created, please check the guide for your SSIM Event Collector for additional information.
Collector Signatures:
|
Collector Name |
Collector Signature |
Default Port |
| AirDefense Event Collector | Category=Platform Health,Category=Reconnaissance,Category=Rogue,Category=Vulnerabilities,Category=Infrastructure, Category=Policy Compliance,Category=Exploits,Category=Performance | As assigned |
| IBM AIX Audit Event Collector | ibmaixaudit | 10561 |
| Arbor Peakflow Event Collector | Arbor PeakFlow X Event Collector Alerting Entity, High Bandwidth, Low Bandwidth, Monitored Bandwidth, Profiled Bandwidth, Collector Down, Collector Up, Unapproved Connection, Unapproved Client, Unapproved Server, Unapproved Host Pair, Unapproved Service, anomaly Protocol, anomaly TCP_Flags, anomaly Bandwidth, anomaly ICMP_Misuse, anomaly TCP_NULL_Misuse, anomaly TCP_SYN_Misuse, anomaly IP_Proto_Misuse, anomaly IP_Fragment_Misuse, anomaly Private_IP_Misuse, anomaly Fingerprint, anomaly TCP_RST_Misuse, anomaly Total_Traffic_Misuse | As assigned |
| ArcSight CEF Event Collector | CEF: | As assigned |
| ArubaWireless Event Collector |
authmgr,isakmpd,wms,localdb,sapd,stm,mobileip,fpapps,httpd,aaa,cfgm,webui,sshd,nanny,pim,esi,KERNEL,cli |
As assigned |
| BarracudaWeb Application Controller Event Collector | WF,TR,NF,SYS,CONN | 10553 |
| Cisco(R) ASA(R) Event Collector (replaced PIX) | %PIX, %ASA, | 10557 |
| Cisco IOS Event Collector |
%FWSM-,%IPS-, %IDS-, %FW-, %SEC-, %URLF-, %SSH-,%IP-, %LINK-, %HWVPN-, %ALARM-,%AAA |
10517 |
| Cisco® VPN Concentrator Event Collector | SEV= | 10521 |
| ForeScout© CounterACT™ Event Collector | CounterACT[, Scout[ | 10540 |
| Fortinet Event Collector | type=event, type=virus, type=ips, type=traffic, type=im, type=emailfilter, type=webfilter, type=content-log, type=contentlog, type=im, type=app-ctrl | 10526 |
| HP ProCurve Event Collector | snmp:,auth:,usb:,tftp:,update:,mgr:,ssh:,ssl:,chassis:,sFlow:, ports: | 10547 |
| ISC DHCP Event Collector | dhcpd: | 10541 |
| Juniper VPN Event Collector | Juniper | 10522 |
| Radware DefensePro Event Collector | DefensePro, LinkProof, AppDi | 10563 |
| RSA Authentication Manager Event Collector | system.com,audit.admin,audit.runtime | 10566 |
| Sidewinder G2 Event Collector | auditd | 10546 |
| Snare forWindows Event Collector | MSWinEventLog | 10529 |
| Snort(R) Syslog Event Collector | snort:, snort[, SFIMS: | 10524 |
| Stonesoft(R) StoneGate Event Collector | <STONEGATE_LOG>, <ALERT_LOG>, <IPS_LOG> | 10565 |
| Third Brigade Event Collector | dsa_mpld:, dsa_mpf:, DSM: | 10544 |
| UNIX(R) OS Event Collector | dhclient, sshd, su, LOGIN, pam_unix, xinetd, kernel,useradd, adduser, userdel, gdm, rpc.statd,usermod, init:,reboot:, ftpd, last message repeated, shutdown:, audispd:,named, httpd:, login:, Firewall | 10525 |
Feedback
