TIBCO LogLogic® Log Management Intelligence (LMI) · of log sources in your enterprise. This...
Transcript of TIBCO LogLogic® Log Management Intelligence (LMI) · of log sources in your enterprise. This...
Two-Second Ad
TIBCO LogLogic®
Log Management Intelligence (LMI)
Log Source Report Mapping GuidebookSoftware Release 5.6.3January 2016
vantage®
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.Copyright © 2002-2016 TIBCO Software Inc. ALL RIGHTS RESERVED.TIBCO Software Inc. Confidential Information
Contents | 3
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
TIBCO LogLogic Log Source Report Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
LogLogic Report Mapping Guide
4 | Contents
LogLogic Report Mapping Guide
| 5
Preface
TIBCO LogLogic® Appliances let you capture and manage log data from all types of log sources in your enterprise. This LogLogic Log Source Report Mapping Guidebook provides a set of tables listing Log Source Reports by Device Type, sorted by UI Category.
For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.
Topics
• Related Documents, page 6
• Technical Support, page 8
• Typographical Conventions, page 9
Log Source Report Mapping Guide
6 | Related Documents
Related Documents
The LogLogic documentation is available on the TIBCO Product Documentation website — https://docs.tibco.com/products/a_z_products.
The following documents contain information about the TIBCO LogLogic Appliances:
• LogLogic Release Notes—Provides information specific to the release including product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic support web site periodically for possible further updates.
• LogLogic Hardware Installation Guide—Describes how to get started with your LogLogic Appliance. In addition, the guide includes details about the Appliance hardware for all models.
• LogLogic Upgrade Guide—Describes how to configure and upgrade the LogLogic Appliance software.
• LogLogic User Guide—Describes how to use the LogLogic solution, viewing dashboard, managing reports, managing alerts, and performing searches.
• LogLogic Administration Guide—Describes how to administer the LogLogic solution including all Management and Administration menu options.
• LogLogic Log Source Configuration Guide—Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the LogLogic solution.
• LogLogic Collector Guides—Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site Protector.
• LogLogic Web Services API Implementation Guide—Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administrate the system.
• LogLogic Syslog Alert Message Format Quick Reference Guide—Describes the LogLogic Syslog alert message format.
• LogLogic Enterprise Virtual Appliance Quick Start Guide— Provides instructions on how to quickly set up the TIBCO Enterprise Virtual Appliance.
• LogLogic Log Source Report Mapping Guide — Provides provides a set of tables listing Log Source Reports by Device Type, sorted by UI Category.
Log Source Report Mapping Guide
Preface | 7
• LogLogic Online Help—Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.
Log Source Report Mapping Guide
8 | Technical Support
Technical Support
TIBCO LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although TIBCO LogLogic products are easy to use and maintain, occasional assistance might be necessary. TIBCO LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers that can help you maximize the performance of your TIBCO LogLogic Appliances.
To reach TIBCO LogLogic Customer Support:
Telephone: Toll Free—1-800-957-LOGS
Local—1-408-834-7480
EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970
Email: [email protected]
Support website: https://support.tibco.com
When contacting Customer Support, be prepared to provide:
• Your name, email address, phone number, and fax number
• Your company name and company address
• Your machine type and release version
• A description of the problem and the content of pertinent error messages (if any)
Log Source Report Mapping Guide
Preface | 9
Typographical Conventions
The following typographical conventions are used in this manual.
Table 1 General Typographical Conventions
Convention Use
ENV_NAME
TIBCO_HOME
<ProductAcronym>_HOME
TIBCO products are installed into an installation environment. A product installed into an installation environment does not access components in other installation environments. Incompatible products and multiple instances of the same product must be installed into different installation environments.
An installation environment consists of the following properties:
• Name Identifies the installation environment. This name is referenced in documentation as ENV_NAME. On Microsoft Windows, the name is appended to the name of Windows services created by the installer and is a component of the path to the product shortcut in the Windows Start > All Programs menu.
• Path The folder into which the product is installed. This folder is referenced in documentation as TIBCO_HOME.
TIBCO <ProductName> installs into a directory within a TIBCO_HOME. This directory is referenced in documentation as <ProductAcronym>_HOME. The default value of <ProductAcronym>_HOME depends on the operating system. For example on Windows systems, the default value is C:\tibco\<ProductAcronym>\<ReleaseNumber>.
code font Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:
Use MyCommand to start the foo process.
bold code font Bold code font is used in the following ways:
• In procedures, to indicate what a user types. For example: Type admin.
• In large code samples, to indicate the parts of the sample that are of particular interest.
• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified, MyCommand is enabled: MyCommand [enable | disable]
Log Source Report Mapping Guide
10 | Typographical Conventions
italic font Italic font is used in the following ways:
• To indicate a document title. For example: See TIBCO ActiveMatrix BusinessWorks Concepts.
• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.
• To indicate a variable in a command or code syntax that you must replace. For example: MyCommand PathName
Key combinations
Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.
Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.
The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.
The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.
The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.
Table 1 General Typographical Conventions (Cont’d)
Convention Use
Log Source Report Mapping Guide
| 11
Chapter 1 Introduction
This guide provides a set of tables listing Log Source Reports by Device Type, sorted by the following UI Categories: Access Control, Database Activity, Enterprise Content Management, HP NonStop Audit, IBM i5/OS Activity, IBM z/OS Activity, Mail Activity, Network Activity, Operational, Policy Reports, Storage Systems Activity, Threat Management and Flow Activity.
For more information on Log Source Package (LSP) devices please see the Log Source Guide for that device.
Topics
• TIBCO LogLogic Log Source Report Mapping, page 12
Log Source Report Mapping Guide
12 | Chapter 1 Introduction
TIBCO LogLogic Log Source Report Mapping
Table 2 Log Source Report Mapping by Device Type - Access Control
Device Type Log Source Reports
Active Directory Permission Modification
Active Directory User Access
Active Directory User Created/Deleted
Active Directory User Last Activity
Active Directory Windows Events
BMC Remedy ARS User Access
BMC Remedy ARS User Authentication
BMC Remedy ARS User Last Activity
Check Point Interface User Access
Check Point Interface User Authentication
Check Point Interface User Created/Deleted
Check Point Interface User Last Activity
Cisco ASA User Access
Cisco ASA User Authentication
Cisco ASA User Last Activity
Cisco ESA User Access
Cisco ESA User Authentication
Cisco FWSM User Access
Cisco FWSM User Authentication
Cisco FWSM User Last Activity
Cisco IOS User Access
Cisco IOS User Authentication
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 13
Cisco IOS User Last Activity
Cisco ISE Permission Modification
Cisco ISE User Access
Cisco ISE User Authentication
Cisco ISE User Last Activity
Cisco NXOS Permission Modification
Cisco NXOS User Access
Cisco NXOS User Authentication
Cisco PIX User Access
Cisco PIX User Authentication
Cisco PIX User Last Activity
Cisco Secure ACS User Access
Cisco Secure ACS User Authentication
Cisco Secure ACS User Created/Deleted
Cisco Secure ACS User Last Activity
Cisco VPN 3000 User Access
Cisco VPN 3000 User Authentication
Cisco VPN 3000 User Last Activity
Cisco Win ACS User Access
Cisco Win ACS User Authentication
Cisco Win ACS User Last Activity
Decru Datafort Permission Modification
Decru Datafort User Access
Decru Datafort User Authentication
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
14 | Chapter 1 Introduction
Decru Datafort User Created/Deleted
Decru Datafort User Last Activity
F5 TMOS Permission Modification
F5 TMOS User Access
F5 TMOS User Authentication
F5 TMOS User Created/Deleted
F5 TMOS User Last Activity
HP/UX Permission Modification
HP/UX User Access
HP/UX User Authentication
HP/UX User Created/Deleted
HP/UX User Last Activity
HP-UX Audit Permission Modification
HP-UX Audit User Access
HP-UX Audit User Authentication
HP-UX Audit User Created/Deleted
HP-UX Audit User Last Activity
IBM AIX Permission Modification
IBM AIX User Access
IBM AIX User Authentication
IBM AIX User Created/Deleted
IBM AIX User Last Activity
IBM AIX Audit Permission Modification
IBM AIX Audit User Access
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 15
IBM AIX Audit User Authentication
IBM AIX Audit User Created/Deleted
IBM AIX Audit User Last Activity
IBM DB2 User Created/Deleted
Juniper Firewall User Access
Juniper Firewall User Authentication
Juniper Firewall User Last Activity
Juniper JunOS User Access
Juniper JunOS User Authentication
Juniper JunOS User Last Activity
Juniper SSL VPN User Access
Juniper SSL VPN User Authentication
Juniper SSL VPN User Last Activity
Juniper SSL VPN Secure Access User Access
Juniper SSL VPN Secure Access User Authentication
Juniper SSL VPN Secure Access User Last Activity
KondorPlus User Access
KondorPlus User Authentication
KondorPlus User Last Activity
Linux Permission Modification
Linux User Access
Linux User Authentication
Linux User Created/Deleted
Linux User Last Activity
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
16 | Chapter 1 Introduction
LogLogic Appliance Permission Modification
LogLogic Appliance User Access
LogLogic Appliance User Authentication
LogLogic Appliance User Created/Deleted
LogLogic Appliance User Last Activity
Microsoft IAS User Access
Microsoft IAS User Authentication
Microsoft IAS User Last Activity
Microsoft MOM/SCOM Permission Modification
Microsoft MOM/SCOM User Access
Microsoft MOM/SCOM User Authentication
Microsoft MOM/SCOM User Created/Deleted
Microsoft MOM/SCOM User Last Activity
Microsoft MOM/SCOM Windows Events
Microsoft Windows Permission Modification
Microsoft Windows User Access
Microsoft Windows User Authentication
Microsoft Windows User Created/Deleted
Microsoft Windows User Last Activity
Microsoft Windows Windows Events
Microsoft Windows French Permission Modification
Microsoft Windows French User Access
Microsoft Windows French User Authentication
Microsoft Windows French User Created/Deleted
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 17
Microsoft Windows French User Last Activity
Microsoft Windows French Windows Events
Microsoft Windows German Permission Modification
Microsoft Windows German User Access
Microsoft Windows German User Authentication
Microsoft Windows German User Created/Deleted
Microsoft Windows German User Last Activity
Microsoft Windows German Windows Events
Microsoft Windows Japanese Permission Modification
Microsoft Windows Japanese User Access
Microsoft Windows Japanese User Authentication
Microsoft Windows Japanese User Created/Deleted
Microsoft Windows Japanese User Last Activity
Microsoft Windows Japanese Windows Events
NetApp Filer User Access
NetApp Filer User Authentication
NetApp Filer User Created/Deleted
NetApp Filer User Last Activity
NetApp Filer Audit User Access
NetApp Filer Audit User Authentication
NetApp Filer Audit User Created/Deleted
NetApp Filer Audit User Last Activity
Nortel Contivity User Access
Nortel Contivity User Authentication
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
18 | Chapter 1 Introduction
Nortel Contivity User Last Activity
Novell eDirectory Permission Modification
Novell eDirectory User Access
Novell eDirectory User Authentication
Novell eDirectory User Last Activity
Other UNIX Permission Modification
Other UNIX User Access
Other UNIX User Authentication
Other UNIX User Created/Deleted
Other UNIX User Last Activity
RSA ACE Server User Access
RSA ACE Server User Authentication
RSA ACE Server User Last Activity
Sidewinder User Access
Sidewinder User Authentication
Sidewinder User Created/Deleted
Sidewinder User Last Activity
SiteMinder User Access
SiteMinder User Authentication
SiteMinder User Last Activity
Sun Solaris Permission Modification
Sun Solaris User Access
Sun Solaris User Authentication
Sun Solaris User Created/Deleted
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 19
Sun Solaris User Last Activity
Sun Solaris BSM Permission Modification
Sun Solaris BSM User Access
Sun Solaris BSM User Authentication
Sun Solaris BSM User Created/Deleted
Sun Solaris BSM User Last Activity
Symantec Endpoint Protection User Access
Symantec Endpoint Protection User Authentication
Symantec Endpoint Protection User Created/Deleted
Symantec Endpoint Protection User Last Activity
TIBCO ActiveMatrix Administrator User Access
TIBCO ActiveMatrix Administrator User Authentication
TIBCO ActiveMatrix Administrator User Last Activity
TIBCO Administrator User Access
TIBCO Administrator User Authentication
TIBCO Administrator User Last Activity
Tripwire Management Station User Access
VMware ESX Permission Modification
VMware ESX User Access
VMware ESX User Authentication
VMware ESX User Created/Deleted
VMware ESX User Last Activity
VMware Orchestrator User Access
VMware Orchestrator User Authentication
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
20 | Chapter 1 Introduction
VMware Orchestrator User Last Activity
VMware vCenter User Access
VMware vCenter User Authentication
VMware vCenter User Last Activity
VMware vCloud Director User Access
VMware vCloud Director User Authentication
VMware vCloud Director User Created/Deleted
VMware vCloud Director User Last Activity
VMware vShield Edge User Access
VMware vShield Edge User Authentication
VMware vShield Edge User Last Activity
Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)
Device Type Log Source Reports
Table 3 Log Source Report Mapping by Device Type – Database Activity
Device Type Log Source Reports
IBM DB2 All Database Events
IBM DB2 Database Access
IBM DB2 Database Data Access
IBM DB2 Database Privilege Modifications
IBM DB2 Database System Modifications
Microsoft SQL Server All Database Events
Microsoft SQL Server Database Access
Microsoft SQL Server Database Data Access
Microsoft SQL Server Database Privilege Modifications
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 21
Microsoft SQL Server Database System Modifications
Oracle Database All Database Events
Oracle Database Database Access
Oracle Database Database Data Access
Oracle Database Database Privilege Modifications
Oracle Database Database System Modifications
Sybase ASE All Database Events
Sybase ASE Database Access
Sybase ASE Database Data Access
Sybase ASE Database Privilege Modifications
Sybase ASE Database System Modifications
Table 3 Log Source Report Mapping by Device Type – Database Activity
Device Type Log Source Reports
Table 4 Log Source Report Mapping by Device Type – Enterprise Content Management
Device Type Log Source Reports
All ECM Activity
Cisco ASA Content Management
Cisco ASA ECM Activity
Fortinet FortiOS ECM Activity
Juniper SSL VPN Secure Access ECM Activity
Microsoft SharePoint Content Management
Microsoft SharePoint ECM Activity
Microsoft SharePoint Expiration and Disposition
Microsoft SharePoint Security Settings
Palo Alto Networks PANOS ECM Activity
Log Source Report Mapping Guide
22 | Chapter 1 Introduction
Table 5 Log Source Report Mapping by Device Type – HP NonStop Audit
Device Type Log Source Reports
HP NonStop Audit Configuration Changes
HP NonStop Audit Failed And Successful Logins
HP NonStop Audit HP NonStop Audit Activity
HP NonStop Audit Object Access
HP NonStop Audit Object Changes
HP NonStop Audit User Actions
Table 6 Log Source Report Mapping by Device Type – IBM i5/OS
Device Type Log Source Reports
IBM i5/OS All Log Entry Types
IBM i5/OS System Object Access
IBM i5/OS User Access by Connection
IBM i5/OS User Action
IBM i5/OS User Jobs
Table 7 Log Source Report Mapping by Device Type – IBM z/OS Activity
Device Type Log Source Reports
z/OS RACF Unix System Services
z/OS RACF Violation
z/OS RACF Login/Logout
z/OS RACF Resource Access
z/OS RACF Security Modifications
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 23
z/OS RACF System Access/Configuration
Table 7 Log Source Report Mapping by Device Type – IBM z/OS Activity
Device Type Log Source Reports
Table 8 Log Source Report Mapping by Device Type – Mail Activity
Device Type Log Source Reports
Cisco ESA Server Activity
Microsoft Exchange 2000/03 Exchange 2000/03 Activity
Microsoft Exchange 2000/03 Exchange 2000/03 Delay
Microsoft Exchange 2000/03 Exchange 2000/03 Size
Microsoft Exchange 2000/03 Exchange 2000/03 SMTP
Microsoft Exchange 2007/10 Message Tracking
Exchange 2007 Mail Size
Microsoft Exchange 2007/10 Message Tracking
Exchange 2007 Activity
Microsoft Exchange 2007 Pop/Imap Server Activity
Microsoft Exchange 2007 SMTP Receive Server Activity
Microsoft Exchange 2007 SMTP Send Server Activity
Table 9 Log Source Report Mapping by Device Type – Network Activity
Device Type Log Source Reports
All Denied Connections
All NAT64 Activity
All VPN Sessions
Apache WebServer Web Cache Activity
Apache WebServer Web Surfing Activity
Log Source Report Mapping Guide
24 | Chapter 1 Introduction
Blue Coat ProxySG Web Cache Activity
Blue Coat Syslog Web Cache Activity
Check Point Interface Accepted Connections
Check Point Interface Active VPN Connections
Check Point Interface Application Distribution
Check Point Interface Denied Connections
Check Point Interface FTP Connections
Check Point Interface VPN Access
Check Point Interface VPN Sessions
Check Point Interface VPN Top Lists
Check Point Interface Web Surfing Activity
Cisco ASA Accepted Connections
Cisco ASA Active FW Connections
Cisco ASA Active VPN Connections
Cisco ASA Application Distribution
Cisco ASA Denied Connections
Cisco ASA FTP Connections
Cisco ASA VPN Access
Cisco ASA VPN Sessions
Cisco ASA VPN Top Lists
Cisco ASA Web Surfing Activity
Cisco Content Engine Web Cache Activity
Cisco Content Engine Web Surfing Activity
Cisco FWSM Accepted Connections
Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 25
Cisco FWSM Active FW Connections
Cisco FWSM Active VPN Connections
Cisco FWSM Application Distribution
Cisco FWSM Denied Connections
Cisco FWSM FTP Connections
Cisco FWSM VPN Access
Cisco FWSM VPN Sessions
Cisco FWSM VPN Top Lists
Cisco FWSM Web Surfing Activity
Cisco IOS Accepted Connections
Cisco IOS Denied Connections
Cisco NetFlow NAT64 Activity
Cisco NXOS Accepted Connections
Cisco NXOS Denied Connections
Cisco PIX Accepted Connections
Cisco PIX Active FW Connections
Cisco PIX Active VPN Connections
Cisco PIX Application Distribution
Cisco PIX Denied Connections
Cisco PIX FTP Connections
Cisco PIX VPN Access
Cisco PIX VPN Sessions
Cisco PIX VPN Top Lists
Cisco PIX Web Surfing Activity
Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
26 | Chapter 1 Introduction
Cisco Router Denied Connections
Cisco WSA Web Cache Activity
Cisco WSA Web Surfing Activity
Cisco VPN 3000 Active VPN Connections
Cisco VPN 3000 VPN Access
Cisco VPN 3000 VPN Sessions
Cisco VPN 3000 VPN Top Lists
F5 TMOS Accepted Connections
F5 TMOS Denied Connections
F5 TMOS Web Cache Activity
F5 TMOS Web Surfing Activity
Fortinet FortiOS Accepted Connections
Fortinet FortiOS Application Distribution
Fortinet FortiOS Denied Connections
Generic W3C Web Cache Activity
Generic W3C Web Surfing Activity
Juniper Firewall Accepted Connections
Juniper Firewall Application Distribution
Juniper Firewall Denied Connections
Juniper JunOS Accepted Connections
Juniper JunOS Application Distribution
Juniper JunOS Denied Connections
Juniper RT_Flow Accepted Connections
Juniper RT_Flow Denied Connections
Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 27
Juniper SSL VPN Web Cache Activity
Juniper SSL VPN Web Surfing Activity
Microsoft DHCP DHCP Denied Activity
Microsoft DHCP DHCP Granted/Renewed Activity
Microsoft DHCP DHCP Activity
Microsoft ISA Web Cache Activity
Microsoft IIS Web Cache Activity
Microsoft IIS Web Surfing Activity
Microsoft ISA Web Cache Activity
NetApp NetCache Web Cache Activity
Nortel Contivity Accepted Connections
Nortel Contivity Active VPN Connections
Nortel Contivity Application Distribution
Nortel Contivity Denied Connections
Nortel Contivity VPN Access
Nortel Contivity VPN Sessions
Nortel Contivity VPN Top Lists
Nortel Contivity Web Surfing Activity
Palo Alto Networks PANOS Accepted Connections
Palo Alto Networks PANOS Application Distribution
Palo Alto Networks PANOS Denied Connections
Palo Alto Networks PANOS Web Surfing Activity
RADIUS Acct Client Active VPN Connections
RADIUS Acct Client VPN Access
Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
28 | Chapter 1 Introduction
RADIUS Acct Client VPN Sessions
RADIUS Acct Client VPN Top Lists
Sidewinder Accepted Connections
Sidewinder Denied Connections
Squid Web Cache Activity
Symantec Endpoint Protection Accepted Connections
Symantec Endpoint Protection Application Distribution
Symantec Endpoint Protection Denied Connections
VMware vShield Edge Accepted Connections
VMware vShield Edge Denied Connections
VMware vShield Edge DHCP Activity
VMware vShield Edge DHCP Granted/Renewed Activity
Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)
Device Type Log Source Reports
Table 10 Log Source Report Mapping by Device Type – Operational
Device Type Log Source Reports
All All Unparsed Events
Active Directory All Unparsed Events
Active Directory Total Message Count
Apache WebServer All Unparsed Events
Apache WebServer Total Message Count
Blue Coat Proxy Syslog All Unparsed Events
Blue Coat Proxy Syslog Total Message Count
Blue Coat ProxySG All Unparsed Events
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 29
Blue Coat ProxySG Total Message Count
BMC Remedy ARS All Unparsed Events
BMC Remedy ARS Total Message Count
Check Point Interface All Unparsed Events
Check Point Interface Firewall Statistics
Check Point Interface Security Events
Check Point Interface System Events
Check Point Interface Total Message Count
Check Point Inerface VPN Events
Cisco ASA All Unparsed Events
Cisco ASA Firewall Statistics
Cisco ASA Security Events
Cisco ASA System Events
Cisco ASA Total Message Count
Cisco ASA VPN Events
Cisco Content Engine All Unparsed Events
Cisco Content Engine Total Message Count
Cisco ESA All Unparsed Events
Cisco ESA Total Message Count
Cisco FWSM All Unparsed Events
Cisco FWSM Firewall Statistics
Cisco FWSM Security Events
Cisco FWSM System Events
Cisco FWSM Total Message Count
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
30 | Chapter 1 Introduction
Cisco FWSM VPN Events
Cisco IOS All Unparsed Events
Cisco IOS Total Message Count
Cisco IPS All Unparsed Events
Cisco IPS Total Message Count
Cisco ISE All Unparsed Events
Cisco ISE Total Message Count
Cisco NetFlow All Unparsed Events
Cisco NetFlow Total Message Count
Cisco NXOS All Unparsed Events
Cisco NXOS Total Message Count
Cisco PIX All Unparsed Events
Cisco PIX Firewall Statistics
Cisco PIX Security Events
Cisco PIX System Events
Cisco PIX Total Message Count
Cisco PIX VPN Events
Cisco Router All Unparsed Events
Cisco Router Firewall Statistics
Cisco Router Total Message Count
Cisco Secure ACS All Unparsed Events
Cisco Secure ACS Total Message Count
Cisco WSA All Unparsed Events
Cisco WSA Total Message Count
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 31
Cisco Switch All Unparsed Events
Cisco Switch Total Message Count
Cisco VPN 3000 All Unparsed Events
Cisco VPN 3000 Total Message Count
Cisco VPN 3000 VPN Events
Cisco Win ACS All Unparsed Events
Cisco Win ACS Total Message Count
Decru Datafort All Unparsed Events
Decru Datafort Total Message Count
F5 TMOS Total Message Count
Fortinet FortiOS All Unparsed Events
Fortinet FortiOS Total Message Count
General Syslog All Unparsed Events
General Syslog Total Message Count
General TIBCO All Unparsed Events
General TIBCO Total Message Count
Generic W3C All Unparsed Events
Generic W3C Total Message Count
Guardium SQL Guard All Unparsed Events
Guardium SQL Guard Total Message Count
Guardium SQLGuard Audit All Unparsed Events
Guardium SQLGuard Audit Total Message Count
Guardium SQLGuard Audit All Unparsed Events
Guardium SQLGuard Audit Total Message Count
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
32 | Chapter 1 Introduction
HP NonStop Audit All Unparsed Events
HP NonStop Audit Total Message Count
HP/UX All Unparsed Events
HP/UX Total Message Count
HP-UX Audit All Unparsed Events
HP-UX Audit Total Message Count
IBM AIX All Unparsed Events
IBM AIX Total Message Count
IBM AIX Audit All Unparsed Events
IBM AIX Audit Total Message Count
IBM DB2 All Unparsed Events
IBM DB2 Total Message Count
IBM i5/OS All Unparsed Events
IBM i5/OS Total Message Count
ISS RealSecure NIDS All Unparsed Events
ISS RealSecure NIDS Total Message Count
ISS SiteProtector All Unparsed Events
ISS SiteProtector Total Message Count
Juniper Firewall All Unparsed Events
Juniper Firewall Firewall Statistics
Juniper Firewall Security Events
Juniper Firewall System Events
Juniper Firewall Total Message Count
Juniper IDP All Unparsed Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 33
Juniper IDP Total Message Count
Juniper JunOS All Unparsed Events
Junpier JunOS Firewall Statistics
Juniper JunOS Total Message Count
Juniper RT_Flow All Unparsed Events
Juniper RT_Flow Firewall Statistics
Juniper RT_Flow Total Message Count
Juniper SSL VPN All Unparsed Events
Juniper SSL VPN Total Message Count
Juniper SSL VPN Secure Access All Unparsed Events
Juniper SSL VPN Secure Access Total Message Count
KondorPlus All Unparsed Events
KondorPlus Total Message Count
Linux All Unparsed Events
Linux Total Message Count
LogLogic Appliance All Unparsed Events
LogLogic Appliance Total Message Count
LogLogic Database Security Manager All Unparsed Events
LogLogic Database Security Manager Total Message Count
LogLogic Management Center All Unparsed Events
LogLogic Management Center Total Message Count
LogLogic Universal Collector All Unparsed Events
LogLogic Universal Collector Total Message Count
McAfee ePolicy Orchestrator All Unparsed Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
34 | Chapter 1 Introduction
McAfee ePolicy Orchestrator Total Message Count
Microsoft DHCP All Unparsed Events
Microsoft DHCP Total Message Count
Microsoft DNS All Unparsed Events
Microsoft Exchange 2000/03 All Unparsed Events
Microsoft Exchange 2000/03 Total Message Count
Microsoft Exchange 2007/10 Application logs All Unparsed Events
Microsoft Exchange 2007/10 Application logs Total Message Count
Microsoft Exchange 2007/10 Message Tracking
All Unparsed Events
Microsoft Exchange 2007/10 Message Tracking
Total Message Count
Microsoft Exchange 2007 Pop/Imap All Unparsed Events
Microsoft Exchange 2007 Pop/Imap Total Message Count
Microsoft Exchange 2007/10 SMTP Receive All Unparsed Events
Microsoft Exchange 2007/10 SMTP Receive Total Message Count
Microsoft Exchange 2007/10 SMTP Send All Unparsed Events
Microsoft Exchange 2007/10 SMTP Send Total Message Count
Microsoft IAS All Unparsed Events
Microsoft IAS Total Message Count
Microsoft IIS All Unparsed Events
Microsoft IIS Total Message Count
Microsoft ISA All Unparsed Events
Microsoft ISA Total Message Count
Microsoft MOM/SCOM All Unparsed Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 35
Microsoft MOM/SCOM Total Message Count
Microsoft SharePoint All Unparsed Events
Microsoft SharePoint Total Message Count
Microsoft SQL Server All Unparsed Events
Microsoft SQL Server Total Message Count
Microsoft SQL Server Application logs All Unparsed Events
Microsoft SQL Server Application logs Total Message Count
Microsoft SQL Server GDBC All Unparsed Events
Microsoft SQL Server GDBC Total Message Count
Microsoft Windows All Unparsed Events
Microsoft Windows Total Message Count
Microsoft Windows Chinese All Unparsed Events
Microsoft Windows Chinese Total Message Count
Microsoft Windows French All Unparsed Events
Microsoft Windows French Total Message Count
Microsoft Windows German All Unparsed Events
Microsoft Windows German Total Message Count
Microsoft Windows Japanese All Unparsed Events
Microsoft Windows Japanese Total Message Count
Microsoft Windows Korean All Unparsed Events
Microsoft Windows Korean Total Message Count
MySQL Server GDBC All Unparsed Events
MySQL Server GDBC Total Message Count
NetApp Filer All Unparsed Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
36 | Chapter 1 Introduction
NetApp Filer Total Message Count
NetApp Filer Audit All Unparsed Events
NetApp Filer Audit Total Message Count
NetApp NetCache All Unparsed Events
NetApp NetCache Total Message Count
Nortel Contivity All Unparsed Events
Nortel Contivity System Events
Nortel Contivity Total Message Count
Nortel Contivity VPN Events
Novell eDirectory All Unparsed Events
Novell eDirectory Total Message Count
Oracle Database All Unparsed Events
Oracle Database Total Message Count
Oracle GDBC All Unparsed Events
Oracle GDBC Total Message Count
Other File Device All Unparsed Events
Other File Device Total Message Count
Other UNIX All Unparsed Events
Other UNIX Total Message Count
Palo Alto Networks PANOS All Unparsed Events
Palo Alto Networks PANOS Total Message Count
RADIUS Acct Client All Unparsed Events
RADIUS Acct Client Total Message Count
RADIUS Acct Client VPN Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 37
RSA ACE Server All Unparsed Events
RSA ACE Server Total Message Count
Sidewinder All Unparsed Events
Sidewinder Firewall Statistics
Sidewinder Total Message Count
SiteMinder All Unparsed Events
SiteMinder Total Message Count
SiteProtector All Unparsed Events
SiteProtector Total Message Count
Snort All Unparsed Events
Snort Total Message Count
Sourcefire All Unparsed Events
Sourcefire Total Message Count
Sourcefire Defense Center All Unparsed Events
Sourcefire Defense Center Total Message Count
Squid All Unparsed Events
Squid Total Message Count
Sun Solaris All Unparsed Events
Sun Solaris Total Message Count
Sun Solaris BSM All Unparsed Events
Sun Solaris BSM Total Message Count
Sybase ASE All Unparsed Events
Sybase ASE Total Message Count
Symantec AntiVirus All Unparsed Events
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
38 | Chapter 1 Introduction
Symantec AntiVirus Total Message Count
Symantec Endpoint Protection All Unparsed Events
Symantec Endpoint Protection Total Message Count
TIBCO ActiveMatrix Administrator All Unparsed Events
TIBCO ActiveMatrix Administrator Total Message Count
TIBCO Administrator All Unparsed Events
TIBCO Administrator Total Message Count
TIBCO Business Works All Unparsed Events
TIBCO Business Works Total Message Count
TIBCO EMSC All Unparsed Events
TIBCO EMSC Total Message Count
TIBCO Hawk Agent All Unparsed Events
TIBCO Hawk Agent Total Message Count
TrendMicro Control Manager All Unparsed Events
TrendMicro Control Manager Total Message Count
TrendMicro OfficeScan All Unparsed Events
TrendMicro OfficeScan Total Message Count
Tripwire Management Station All Unparsed Events
Tripwire Management Station Total Message Count
VMware ESX All Unparsed Events
VMware ESX Total Message Count
VMware Orchestrator All Unparsed Events
VMware Orchestrator Total Message Count
VMware vCenter Total Message Count
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 39
VMware vCenter All Unparsed Events
VMware vCloud Director Total Message Count
VMware vShield Total Message Count
z/OS RACF All Unparsed Events
z/OS RACF Total Message Count
Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)
Device Type Log Source Reports
Table 11 Log Source Report Mapping by Device Type – Policy Reports
Device Type Log Source Reports
Check Point Interface Rules/Policies
Juniper Firewall Rules/Policies
LogLogic Appliance Network Policies
Microsoft SharePoint ECM Policy
Nortel Contivity Rules/Policies
Table 12 Log Source Report Mapping by Device Type – Storage Systems Activity
Device Type Log Source Reports
NetApp Filer Filer Access
NetApp Filer Audit Filer Access
Table 13 Log Source Report Mapping by Device Type – Threat Management
Device Type Log Source Reports
All IDS/IPS Activity
All HIPS Activity
Log Source Report Mapping Guide
40 | Chapter 1 Introduction
Cisco ASA IDS/IPS Activity
Cisco ASA Security Summary
Cisco ESA Threat Activity
Cisco ESA Configuration Activity
Cisco ESA Scan Activity
Cisco ESA Security Summary
Cisco FWSM IDS/IPS Activity
Cisco IOS IDS/IPS Activity
Cisco IPS Security Summary
Cisco ISE Secuirty Summary
Cisco NXOS Security Summary
Cisco NXOS2 Security Summary
Cisco IPS IDS/IPS Activity
Cisco PIX IDS/IPS Activity
Cisco Secure ACS Security Summary
Cisco WSA Security Summary
F5 TMOS Security Summary
Fortinet FortiOS IDS/IPS Activity
Fortinet FortiOS Threat Activity
Guardium SQL Guard DB IPS Activity
Guardium SQLGuard Audit DB IPS Activity
ISS RealSecure NIDS IDS/IPS Activity
ISS SiteProtector IDS/IPS Activity
Juniper IDP IDS/IPS Activity
Table 13 Log Source Report Mapping by Device Type – Threat Management (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
TIBCO LogLogic Log Source Report Mapping | 41
Juniper JunOS IDS/IPS Activity
McAfee ePolicy Orchestrator Configuration Activity
McAfee ePolicy Orchestrator HIPS Activity
McAfee ePolicy Orchestrator Scan Activity
McAfee ePolicy Orchestrator Threat Activity
Palo Alto Networks PANOS IDS/IPS Activity
Palo Alto Networks PANO Threat Activity
SiteProtector IDS/IPS Activity
Snort IDS/IPS Activity
Sourcefire IDS/IPS Activity
Sourcefire Defense Center IDS/IPS Activity
Symantec AntiVirus Configuration Activity
Symantec AntiVirus Scan Activity
Symantec AntiVirus Threat Activity
Symantec Endpoint Protection Threat Activity
Symantec Endpoint Protect Configuration Activity
Symantec Endpoint Protection HIPS Activity
Symantect Endpoint Protection Scan Activity
Symantect Endpoint Protection Security Summary
TrendMicro Control Manager Threat Activity
TrendMicro OfficeScan Threat Activity
Table 13 Log Source Report Mapping by Device Type – Threat Management (Cont’d)
Device Type Log Source Reports
Log Source Report Mapping Guide
42 | Chapter 1 Introduction
Table 14: Log Source Report Mapping by Device Type – Flow Activity
Device Type Log Source Reports
All Application Usage
All User Browsing Statics
All Top Users
Cisco NetFlow Application Usage
Cisco NetFlow User Browsing Static
Cisco NetFlow Top Users
Log Source Report Mapping Guide