```csvpreview {header="true"}
Вендор,Имя нормализатора,Дата последнего изменения,Комментарии
Unix,[01-08-2023] Unix AuditD (Syslog - REGEX),01.08.2023,"Recommended AuditD config: https://github.com/Neo23x0/auditd
added:
- 01.08.2023 Box Syslog parser changed to Regex, some fixes in sub parsers
- 07.07.2023 Zimbra section added
- 16.05.23 ""Audit message KV normalization"" proctitle now writes in DestinationProcessName with HexDecode
- add regex for case: (node=\S+) after syslog header
- add extranormalizer for EXECVE, SYSCALL, PATH
- add regex for CRON logs (CMD)
- add extranormalizer for USER_AUTH, USER_LOGIN, DEL_USER, ADD_USER
- add nametype for PATH
- add extranormalizer for CONFIG_CHANGE, pam, Oracle Audit, smbd_audit, named, postfix, sshd, suricata, tag_exim, sudo"
1C,[25-07-2023] 1C logs JSON,25.07.2023,
PaloAlto,[25-07-2023] PaloAlto Global Protect (LEEF),25.07.2023,
YaCloud,[25-07-2023] Yandex Cloud K8S (Syslog-JSON),25.07.2023,
Unix,Unix AuditD (Syslog),07.07.2023,"Recommended AuditD config: https://github.com/Neo23x0/auditd
added:
- 07.07.2023 Zimbra section added
- 16.05.23 ""Audit message KV normalization"" proctitle now writes in DestinationProcessName with HexDecode
- add regex for case: (node=\S+) after syslog header
- add extranormalizer for EXECVE, SYSCALL, PATH
- add regex for CRON logs (CMD)
- add extranormalizer for USER_AUTH, USER_LOGIN, DEL_USER, ADD_USER
- add nametype for PATH
- add extranormalizer for CONFIG_CHANGE, pam, Oracle Audit, smbd_audit, named, postfix, sshd, suricata, tag_exim, sudo"
VMware,[07-07-2023] VMware vCenter 7.0 (Syslog),07.07.2023,Created by Community User
HPE,[07-07-2023] HPE ArubaAP 8.11 (Syslog),07.07.2023,Created by Community User
PTsecurity,[07-07-2023] PTsecurity NAD 11.0 (Syslog),07.07.2023,Created by Community User
PTsecurity,[07-07-2023] PTsecurity AF 3.7 (CEF),07.07.2023,Created by Community User
MS,[07-07-2023] MS Windows Firewall Log,07.07.2023,"Created by Community User
https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
date — The date field identifies the date in the format YYYY-MM-DD.
time — The local time is displayed in the log file using the format HH:MM:SS. The hours are referenced in 24-hour format.
action — As the firewall processes traffic, certain actions are recorded. The logged actions are DROP for dropping a connection, OPEN for opening a connection, CLOSE for closing a connection, OPEN-INBOUND for an inbound session opened to the local computer, and INFO-EVENTS-LOST for events processed by the Windows Firewall, but were not recorded in the security log.
protocol — The protocol used such as TCP, UDP, or ICMP.
src-ip — Displays the source IP address (the IP address of the computer attempting to establish communication).
dst-ip — Displays the destination IP address of a connection attempt.
src-port — The port number on the sending computer from which the connection was attempted.
dst-port — The port to which the sending computer was trying to make a connection.
size — Displays the packet size in bytes.
tcpflags — Information about TCP control flags in TCP headers.
tcpsyn — Displays the TCP sequence number in the packet.
tcpack — Displays the TCP acknowledgement number in the packet.
tcpwin — Displays the TCP window size, in bytes, in the packet.
icmptype — Information about the ICMP messages.
icmpcode — Information about the ICMP messages.
info — Displays an entry that depends on the type of action that occurred.
path — Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN."
MS,[07-07-2023] MS Windows PowerShell Log,07.07.2023,
Sonicwall,[04-07-2023] Sonicwall FW (CEF),04.07.2023,
WatchGuard,[04-07-2023] WatchGuard Firebox (Syslog),04.07.2023,
MS,Windows Extended v.0.3 + Sysmon,03.07.2023,Recommended Sysmon config: https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-with-filedelete.xml
PTsecurity,[03-07-2023] PTsecurity NAD (JSON),03.07.2023,
Sophos,Sophos XG + UTM,28.06.2023,
CheckPoint ,CheckPoint Quantum Spark 1800,05.06.2023,
MS,IIS Exchange Log File Format 2.0,12.05.2023,
MikroTik,Mikrotik Syslog,12.05.2023,
PTsecurity,PTsecurity ISIM,27.02.2023,
Cisco,Cisco Universal Syslog (regex),22.02.2023,"20-07-2023 - доработан для SEC-6-IPACCESSLOGP и FTD-1-430002 и SFIMS (Cisco Firepower Threat Defense)
22-02-2023 - доработан парсер 313864
17-02-2023 - доработан парсер 106023
9-01-2023 - добавлен парсинг 113005
Добавлен еще один regexp в первый парсер. Изменен тип продукта на ASA. Добавлены парсеры событий в ветке ASA с 737015 по 717033. (7-12-2022 - добавлены IPNAT события)
Field description - https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/www.cisco.com/content/en/us/td/docs/security/fwsm/fwsm41/system/message/syslog/logmsgs.html.xml"
Broadcom Inc,Symantec Endpoint Protection SQL,07.02.2023,
SAP,SAP regexp (Syslog),07.02.2023,Обрабатывается лог файл по пути: /usr/sap/HRP/D*/log
NetApp,NetApp regexp/xml (File app audit),07.02.2023,
MS,DNS Windows,09.01.2023,Добавлены OPCODE обогащение
B4Com Technologies,B4Com MCR Routers,20.12.2022,
FUDO,FUDO PAM,01.12.2022,
Citrix,Citrix NetScaler,01.12.2022,
MS,Windows logs (Logstash),30.11.2022,
NGate,NGate (JSON),29.11.2022,
Huawei,Huawei USG Syslog,23.11.2022,
Eltex,Eltex MES,23.11.2022,
Kaspersky,KSE (SQL),07.11.2022,Kaspersky Security for Exchange
Kaspersky,KEDR telemetry,03.11.2022,
InfoWatch,InfoWatch Traffic Monitor,03.11.2022,
MikroTik,Mikrotik Syslog,31.10.2022,
PTsecurity,PTsecurity Sandbox,31.10.2022,Kaspersky Endpoint Detection and Response telemetry collected via kafka v. 0.1
CheckPoint ,Checkpoint Syslog KV,28.10.2022,
Код Безопасности,SecretNet SQL v2,17.10.2022,"Some Updated Message Parsing
"".*Подсистема:\\s(\\S+)""
"".*Имя\\sпользователя:\\s(\\S+)""
"".*Узел\\sклиента:\\s(\\S+)""
"".*Узел\\sсервера:\\s(\\S+)""
"".*Причина.*:\\s(.+)$""
"".*Категория\\sконфиденциальности:\\s(.+)$""
"".*Предъявлен\\sидентификатор:\\s(\\S+)""
"".*Процесс:\\s(\\S+)""
"".*ID\\sпроцесса:\\s(\\S+)""
"".*Имя\sпроцесса:\s(\S+)""
"".*Файл:\s(\S+)""
"".*Внутреннее\sимя\sзадачи:\s(\S+)""
"".*Инициатор\sзадачи:\s(\S+)""
"".*Вирус:\s(\S+)""
"".*Путь:\s(\S+)""
"".*Описание:\s(\S+)""
"".*Зараженный\sфайл:\s(\S+)""
"".*Объект:\s(\S+)""
"".*Зараженный\sпроцесс\sбыл\sзапущен\sиз\sфайла:\s(\S+)""
"".*Имя\sфайла:\s(\S+)""
Имя ресурса
Задача
Имя задания
Реакция
Имя объекта:
Имя инициирующего процесса:
Вызывающий модуль:
Вызываемый модуль:"
MS,Windows Server Essentials Experience (WSEE),22.09.2022,
OpenVAS,OpenVAS-CSV (File),22.09.2022,"yum install xmlstarlet
поместить отчеты в папку /opt/reports/ (либо другую произвольную) (Транспорт коллектора тип - файл по этому пути)
Добавим в крон рута запуск команды каждые 30 минут
echo PATH=$PATH >> /var/spool/cron/root ; echo SHELL=$SHELL >> /var/spool/cron/root ; echo ""# m h dom mon dow user command"" >> /var/spool/cron/root ; echo ""*/30 * * * * for i in $(ls /opt/reports/*.xml); xmlstarlet sel -T -t -m /report/report/results/result -v ""concat(@id,',',host/hostname,',',host/text(),',',port,',',name,',',nvt/family,',',nvt/cvss_base,',',threat,',',nvt/refs/ref/@id,',',creation_time)"" -n $i >> /opt/openvas_csv.csv; mv $i $i.processed; done"
VMware,ESXi (Syslog) !Heavy Parser!,22.09.2022,
UserGate,UserGate CEF,22.09.2022,
Unix,Unix AuditD (Beats Agent),22.09.2022,"AUDITD and SYSTEM logs from beats agent
v.0,2:
- DeviceAction -> DeviceEventClassId
- added extranormalizers for every type"
Kaspersky,KSC Cloud Console,22.09.2022,
UserGate,UserGate (CEF),22.09.2022,
Mitigator,Mitigator AntiDDoS,22.09.2022,
ZECURION,ZECURION WEBPROXY,22.09.2022,
Radware,Radware DefensePro AntiDDoS,22.09.2022,
Minerva Labs,Minerva EDR,22.09.2022,
Ahnlab,Ahnlab IPS v5 with encrichment,22.09.2022,
DrWEB,DrWeb SQL (another),22.09.2022,
GFI,Kerio Control (Syslog),22.09.2022,
PTC,Winchill Fracas,22.09.2022,
Broadcom Inc,Blue Coat ProxySG (KV),22.09.2022,
Broadcom Inc,Blue Coat ProxySG (CSV),22.09.2022,
FortiNet,FortiMail (KV),22.09.2022,
Huawei,Huawei Eudemon,22.09.2022,
DrWEB,DrWEB SQL - AntiVirus,22.09.2022,
sFlow,Sflow (Logstash),22.09.2022,
Dallas Lock,Dallas Lock,22.09.2022,
Интернет Контроль Сервер,Интернет Контроль Сервер (Syslog),22.09.2022,
Nokia,[22-09-2022] Nokia VitalQIP (Syslog),22.09.2022,
MS,IIS Exchange Log File Format,01.02.2022,
MS,"OWA,EAS,MAPI (CSV)",24.01.2022,
Kaspersky,KSC from SQL,17.01.2022,"README! Добавлено 2 последних экстранормализатора MESSAGE и LAST RESORT. Первый для обработки поля message без kv регулярными выражениями, второй для обработки kv.
17-11-2022 в нормализатор MESSAGE добавлено регулярное выражение для событий
KLSRV_HOST_STATUS_WARNING(CRITICAL)"
oVirt,Zvirt/oVirt (Syslog),11.01.2022,
```
Sign in with Wallet
Connect another wallet