TIBCO LogLogic® Log Management Intelligence (LMI) Log Source Report Mapping Guide

(1)

TIBCO LogLogic® Log Management Intelligence (LMI)

Log Source Report Mapping Guide

Software Release 6.1 March 2017

Two-Second Advantage^®

(2)

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.

All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

TIBCO Software Inc. Confidential Information

(3)

|

ⁱⁱⁱ

Preface

TIBCO LogLogic^® Appliances let you capture and manage log data from all types of log sources in your enterprise. This TIBCO LogLogic^® LMI Log Source Report Mapping Guide provides a set of tables listing Log Source Reports by Device Type, sorted by UI Category.

For more information on creating reports and alerts, see the TIBCO LogLogic^® LMI User Guide.

Topics

• Related Documents, page vi

• Typographical Conventions, page viii

• Connecting with TIBCO Resources, page x

(6)

vi

|

^vii

• TIBCO LogLogic^® LMI XML Import/Export Entities Reference Guide—Describes how to manually import, export, and edit XML files into and from the appliance when not using the appliance UI.

• TIBCO LogLogic^® LMI Memory Module Installation Guide—Describes how to install and remove memory modules in LogLogic appliances.

(8)

viii

|

Typographical Conventions

The following typographical conventions are used in this manual.

Table 1 General Typographical Conventions Convention Use

ENV_NAME TIBCO_HOME

<ProductAcron ym>_HOME

TIBCO products are installed into an installation environment. A product installed into an installation environment does not access components in other installation environments. Incompatible products and multiple instances of the same product must be installed into different installation environments.

An installation environment consists of the following properties:

• ^Name Identifies the installation environment. This name is referenced in documentation as ENV_NAME. On Microsoft Windows, the name is

appended to the name of Windows services created by the installer and is a component of the path to the product shortcut in the Windows Start > All Programs menu.

• ^Path The folder into which the product is installed. This folder is referenced in documentation as TIBCO_HOME.

TIBCO <ProductName> installs into a directory within a TIBCO_HOME. This directory is referenced in documentation as <ProductAcronym>_HOME. The default value of <ProductAcronym>_HOME depends on the operating system.

For example on Windows systems, the default value is

C:\tibco\<ProductAcronym>\<ReleaseNumber>.

code font Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:

Use ^MyCommand to start the foo process.

bold code font Bold code font is used in the following ways:

• In procedures, to indicate what a user types. For example: Type ^admin.

• In large code samples, to indicate the parts of the sample that are of particular interest.

• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified, ^MyCommand is enabled:

MyCommand [enable | disable]

(9)

Preface

|

^ix

italic font Italic font is used in the following ways:

• To indicate a document title. For example: See TIBCO ActiveMatrix BusinessWorks Concepts.

• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.

• To indicate a variable in a command or code syntax that you must replace.

For example: ^MyCommandPathName Key

combinations

Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.

Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.

The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.

The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.

The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.

Table 1 General Typographical Conventions (Cont’d) Convention Use

(10)

x

|

Connecting with TIBCO Resources

How to Join TIBCOmmunity

TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to http://www.tibcommunity.com.

How to Access TIBCO Documentation

The latest documentation for all TIBCO products is available on the TIBCO Documentation site (https://docs.tibco.com), which is updated more frequently than any documentation that might be included with the product.

Documentation for TIBCO LogLogic products is available on the TIBCO LogLogic documentation page.

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support as follows:

• For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site:

http://www.tibco.com/services/support

• If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you can request one.

(11)

|

¹

Chapter 1 Introduction

This guide provides a set of tables listing Log Source Reports by Device Type, sorted by the following UI Categories: Access Control, Database Activity, Enterprise Content Management, HP NonStop Audit, IBM i5/OS Activity, IBM z/OS Activity, Mail Activity, Network Activity, Operational, Policy Reports, Storage Systems Activity, Threat Management and Flow Activity.

For more information on Log Source Package (LSP) devices please see the Log Source Guide for that device.

Topics

• TIBCO LogLogic Log Source Report Mapping, page 2

(12)

2

|

Chapter 1 Introduction

TIBCO LogLogic Log Source Report Mapping

Table 2 Log Source Report Mapping by Device Type - Access Control

Device Type Log Source Reports

Active Directory Permission Modification

Active Directory User Access

Active Directory User Created/Deleted

Active Directory User Last Activity

Active Directory Windows Events

BMC Remedy ARS User Access

BMC Remedy ARS User Authentication

BMC Remedy ARS User Last Activity

Check Point Interface User Access

Check Point Interface User Authentication

Check Point Interface User Created/Deleted

Check Point Interface User Last Activity

Cisco ASA User Access

Cisco ASA User Authentication

Cisco ASA User Last Activity

Cisco ESA User Access

Cisco ESA User Authentication

Cisco FWSM User Access

Cisco FWSM User Authentication

Cisco FWSM User Last Activity

Cisco IOS User Access

Cisco IOS User Authentication

(13)

TIBCO LogLogic Log Source Report Mapping

|

³

Cisco IOS User Last Activity

Cisco ISE Permission Modification

Cisco ISE User Access

Cisco ISE User Authentication

Cisco ISE User Last Activity

Cisco NXOS Permission Modification

Cisco NXOS User Access

Cisco NXOS User Authentication

Cisco PIX User Access

Cisco PIX User Authentication

Cisco PIX User Last Activity

Cisco Secure ACS User Access

Cisco Secure ACS User Authentication

Cisco Secure ACS User Created/Deleted

Cisco Secure ACS User Last Activity

Cisco VPN 3000 User Access

Cisco VPN 3000 User Authentication

Cisco VPN 3000 User Last Activity

Cisco Win ACS User Access

Cisco Win ACS User Authentication

Cisco Win ACS User Last Activity

Decru Datafort Permission Modification

Decru Datafort User Access

Decru Datafort User Authentication

Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)

(14)

4

|

Decru Datafort User Created/Deleted

Decru Datafort User Last Activity

F5 TMOS Permission Modification

F5 TMOS User Access

F5 TMOS User Authentication

F5 TMOS User Created/Deleted

F5 TMOS User Last Activity

HP/UX Permission Modification

HP/UX User Access

HP/UX User Authentication

HP/UX User Created/Deleted

HP/UX User Last Activity

HP-UX Audit Permission Modification

HP-UX Audit User Access

HP-UX Audit User Authentication

HP-UX Audit User Created/Deleted

HP-UX Audit User Last Activity

IBM AIX Permission Modification

IBM AIX User Access

IBM AIX User Authentication

IBM AIX User Created/Deleted

IBM AIX User Last Activity

IBM AIX Audit Permission Modification

IBM AIX Audit User Access

(15)

|

⁵

IBM AIX Audit User Authentication

IBM AIX Audit User Created/Deleted

IBM AIX Audit User Last Activity

IBM DB2 User Created/Deleted

Juniper Firewall User Access

Juniper Firewall User Authentication

Juniper Firewall User Last Activity

Juniper JunOS User Access

Juniper JunOS User Authentication

Juniper JunOS User Last Activity

Juniper SSL VPN User Access

Juniper SSL VPN User Authentication

Juniper SSL VPN User Last Activity

Juniper SSL VPN Secure Access User Access Juniper SSL VPN Secure Access User Authentication Juniper SSL VPN Secure Access User Last Activity

KondorPlus User Access

KondorPlus User Authentication

KondorPlus User Last Activity

Linux Permission Modification

Linux User Access

Linux User Authentication

Linux User Created/Deleted

Linux User Last Activity

(16)

6

|

LogLogic Appliance Permission Modification

LogLogic Appliance User Access

LogLogic Appliance User Authentication

LogLogic Appliance User Created/Deleted

LogLogic Appliance User Last Activity

Microsoft IAS User Access

Microsoft IAS User Authentication

Microsoft IAS User Last Activity

Microsoft MOM/SCOM Permission Modification

Microsoft MOM/SCOM User Access

Microsoft MOM/SCOM User Authentication

Microsoft MOM/SCOM User Created/Deleted

Microsoft MOM/SCOM User Last Activity

Microsoft MOM/SCOM Windows Events

Microsoft Windows Permission Modification

Microsoft Windows User Access

Microsoft Windows User Authentication

Microsoft Windows User Created/Deleted

Microsoft Windows User Last Activity

Microsoft Windows Windows Events

Microsoft Windows French Permission Modification Microsoft Windows French User Access

Microsoft Windows French User Authentication Microsoft Windows French User Created/Deleted Table 2 Log Source Report Mapping by Device Type - Access Control (Cont’d)

(17)

|

⁷

Microsoft Windows French User Last Activity Microsoft Windows French Windows Events Microsoft Windows German Permission Modification Microsoft Windows German User Access

Microsoft Windows German User Authentication Microsoft Windows German User Created/Deleted Microsoft Windows German User Last Activity Microsoft Windows German Windows Events Microsoft Windows Japanese Permission Modification Microsoft Windows Japanese User Access

Microsoft Windows Japanese User Authentication Microsoft Windows Japanese User Created/Deleted Microsoft Windows Japanese User Last Activity Microsoft Windows Japanese Windows Events

NetApp Filer User Access

NetApp Filer User Authentication

NetApp Filer User Created/Deleted

NetApp Filer User Last Activity

NetApp Filer Audit User Access

NetApp Filer Audit User Authentication

NetApp Filer Audit User Created/Deleted

NetApp Filer Audit User Last Activity

Nortel Contivity User Access

Nortel Contivity User Authentication

(18)

8

|

Nortel Contivity User Last Activity

Novell eDirectory Permission Modification

Novell eDirectory User Access

Novell eDirectory User Authentication

Novell eDirectory User Last Activity

Other UNIX Permission Modification

Other UNIX User Access

Other UNIX User Authentication

Other UNIX User Created/Deleted

Other UNIX User Last Activity

RSA ACE Server User Access

RSA ACE Server User Authentication

RSA ACE Server User Last Activity

Sidewinder User Access

Sidewinder User Authentication

Sidewinder User Created/Deleted

Sidewinder User Last Activity

SiteMinder User Access

SiteMinder User Authentication

SiteMinder User Last Activity

Sun Solaris Permission Modification

Sun Solaris User Access

Sun Solaris User Authentication

Sun Solaris User Created/Deleted

(19)

|

⁹

Sun Solaris User Last Activity

Sun Solaris BSM Permission Modification

Sun Solaris BSM User Access

Sun Solaris BSM User Authentication

Sun Solaris BSM User Created/Deleted

Sun Solaris BSM User Last Activity

Symantec Endpoint Protection User Access Symantec Endpoint Protection User Authentication Symantec Endpoint Protection User Created/Deleted Symantec Endpoint Protection User Last Activity TIBCO ActiveMatrix Administrator User Access TIBCO ActiveMatrix Administrator User Authentication TIBCO ActiveMatrix Administrator User Last Activity

TIBCO Administrator User Access

TIBCO Administrator User Authentication

TIBCO Administrator User Last Activity

Tripwire Management Station User Access

VMware ESX Permission Modification

VMware ESX User Access

VMware ESX User Authentication

VMware ESX User Created/Deleted

VMware ESX User Last Activity

VMware Orchestrator User Access

VMware Orchestrator User Authentication

(20)

10

|

VMware Orchestrator User Last Activity

VMware vCenter User Access

VMware vCenter User Authentication

VMware vCenter User Last Activity

VMware vCloud Director User Access

VMware vCloud Director User Authentication VMware vCloud Director User Created/Deleted VMware vCloud Director User Last Activity

VMware vShield Edge User Access

VMware vShield Edge User Authentication

VMware vShield Edge User Last Activity

Table 3 Log Source Report Mapping by Device Type – Database Activity

IBM DB2 All Database Events

IBM DB2 Database Access

IBM DB2 Database Data Access

IBM DB2 Database Privilege Modifications

IBM DB2 Database System Modifications

Microsoft SQL Server All Database Events

Microsoft SQL Server Database Access

Microsoft SQL Server Database Data Access

Microsoft SQL Server Database Privilege Modifications Microsoft SQL Server Database System Modifications

(21)

|

¹¹

Oracle Database All Database Events

Oracle Database Database Access

Oracle Database Database Data Access

Oracle Database Database Privilege Modifications

Oracle Database Database System Modifications

Sybase ASE All Database Events

Sybase ASE Database Access

Sybase ASE Database Data Access

Sybase ASE Database Privilege Modifications

Sybase ASE Database System Modifications

Table 4 Log Source Report Mapping by Device Type – Enterprise Content Management

All ECM Activity

Cisco ASA Content Management

Cisco ASA ECM Activity

Fortinet FortiOS ECM Activity

Juniper SSL VPN Secure Access ECM Activity

Microsoft SharePoint Content Management

Microsoft SharePoint ECM Activity

Microsoft SharePoint Expiration and Disposition

Microsoft SharePoint Security Settings

Palo Alto Networks PANOS ECM Activity

Table 3 Log Source Report Mapping by Device Type – Database Activity

(22)

12

|

Table 5 Log Source Report Mapping by Device Type – HP NonStop Audit

HP NonStop Audit Configuration Changes

HP NonStop Audit Failed And Successful Logins

HP NonStop Audit HP NonStop Audit Activity

HP NonStop Audit Object Access

HP NonStop Audit Object Changes

HP NonStop Audit User Actions

Table 6 Log Source Report Mapping by Device Type – IBM i5/OS

IBM i5/OS All Log Entry Types

IBM i5/OS System Object Access

IBM i5/OS User Access by Connection

IBM i5/OS User Action

IBM i5/OS User Jobs

Table 7 Log Source Report Mapping by Device Type – IBM z/OS Activity

z/OS RACF Unix System Services

z/OS RACF Violation

z/OS RACF Login/Logout

z/OS RACF Resource Access

z/OS RACF Security Modifications

z/OS RACF System Access/Configuration

(23)

|

¹³

Table 8 Log Source Report Mapping by Device Type – Mail Activity

Cisco ESA Server Activity

Microsoft Exchange 2000/03 Exchange 2000/03 Activity Microsoft Exchange 2000/03 Exchange 2000/03 Delay Microsoft Exchange 2000/03 Exchange 2000/03 Size Microsoft Exchange 2000/03 Exchange 2000/03 SMTP Microsoft Exchange 2007/10 Message

Tracking

Exchange 2007 Mail Size

Microsoft Exchange 2007/10 Message Tracking

Exchange 2007 Activity

Microsoft Exchange 2007 Pop/Imap Server Activity Microsoft Exchange 2007 SMTP Receive Server Activity Microsoft Exchange 2007 SMTP Send Server Activity

Table 9 Log Source Report Mapping by Device Type – Network Activity

All Denied Connections

All NAT64 Activity

All VPN Sessions

Apache WebServer Web Cache Activity

Apache WebServer Web Surfing Activity

Blue Coat ProxySG Web Cache Activity

Blue Coat Syslog Web Cache Activity

Check Point Interface Accepted Connections

(24)

14

|

Check Point Interface Active VPN Connections Check Point Interface Application Distribution

Check Point Interface Denied Connections

Check Point Interface FTP Connections

Check Point Interface VPN Access

Check Point Interface VPN Sessions

Check Point Interface VPN Top Lists

Check Point Interface Web Surfing Activity

Cisco ASA Accepted Connections

Cisco ASA Active FW Connections

Cisco ASA Active VPN Connections

Cisco ASA Application Distribution

Cisco ASA Denied Connections

Cisco ASA FTP Connections

Cisco ASA VPN Access

Cisco ASA VPN Sessions

Cisco ASA VPN Top Lists

Cisco ASA Web Surfing Activity

Cisco Content Engine Web Cache Activity

Cisco Content Engine Web Surfing Activity

Cisco FWSM Accepted Connections

Cisco FWSM Active FW Connections

Cisco FWSM Active VPN Connections

Cisco FWSM Application Distribution

Table 9 Log Source Report Mapping by Device Type – Network Activity (Cont’d)

(25)

|

¹⁵

Cisco FWSM Denied Connections

Cisco FWSM FTP Connections

Cisco FWSM VPN Access

Cisco FWSM VPN Sessions

Cisco FWSM VPN Top Lists

Cisco FWSM Web Surfing Activity

Cisco IOS Accepted Connections

Cisco IOS Denied Connections

Cisco NetFlow NAT64 Activity

Cisco NXOS Accepted Connections

Cisco NXOS Denied Connections

Cisco PIX Accepted Connections

Cisco PIX Active FW Connections

Cisco PIX Active VPN Connections

Cisco PIX Application Distribution

Cisco PIX Denied Connections

Cisco PIX FTP Connections

Cisco PIX VPN Access

Cisco PIX VPN Sessions

Cisco PIX VPN Top Lists

Cisco PIX Web Surfing Activity

Cisco Router Denied Connections

Cisco WSA Web Cache Activity

Cisco WSA Web Surfing Activity

(26)

16

|

Cisco VPN 3000 Active VPN Connections

Cisco VPN 3000 VPN Access

Cisco VPN 3000 VPN Sessions

Cisco VPN 3000 VPN Top Lists

F5 TMOS Accepted Connections

F5 TMOS Denied Connections

F5 TMOS Web Cache Activity

F5 TMOS Web Surfing Activity

Fortinet FortiOS Accepted Connections

Fortinet FortiOS Application Distribution

Fortinet FortiOS Denied Connections

Generic W3C Web Cache Activity

Generic W3C Web Surfing Activity

Juniper Firewall Accepted Connections

Juniper Firewall Application Distribution

Juniper Firewall Denied Connections

Juniper JunOS Accepted Connections

Juniper JunOS Application Distribution

Juniper JunOS Denied Connections

Juniper RT_Flow Accepted Connections

Juniper RT_Flow Denied Connections

Juniper SSL VPN Web Cache Activity

Juniper SSL VPN Web Surfing Activity

Microsoft DHCP DHCP Denied Activity

(27)

|

¹⁷

Microsoft DHCP DHCP Granted/Renewed Activity

Microsoft DHCP DHCP Activity

Microsoft ISA Web Cache Activity

Microsoft IIS Web Cache Activity

Microsoft IIS Web Surfing Activity

Microsoft ISA Web Cache Activity

NetApp NetCache Web Cache Activity

Nortel Contivity Accepted Connections

Nortel Contivity Active VPN Connections

Nortel Contivity Application Distribution

Nortel Contivity Denied Connections

Nortel Contivity VPN Access

Nortel Contivity VPN Sessions

Nortel Contivity VPN Top Lists

Nortel Contivity Web Surfing Activity

Palo Alto Networks PANOS Accepted Connections Palo Alto Networks PANOS Application Distribution Palo Alto Networks PANOS Denied Connections Palo Alto Networks PANOS Web Surfing Activity

RADIUS Acct Client Active VPN Connections

RADIUS Acct Client VPN Access

RADIUS Acct Client VPN Sessions

RADIUS Acct Client VPN Top Lists

Sidewinder Accepted Connections

(28)

18

|

Sidewinder Denied Connections

Squid Web Cache Activity

Symantec Endpoint Protection Accepted Connections Symantec Endpoint Protection Application Distribution Symantec Endpoint Protection Denied Connections

VMware vShield Edge Accepted Connections

VMware vShield Edge Denied Connections

VMware vShield Edge DHCP Activity

VMware vShield Edge DHCP Granted/Renewed Activity

Table 10 Log Source Report Mapping by Device Type – Operational

All All Unparsed Events

Active Directory All Unparsed Events

Active Directory Total Message Count

Apache WebServer All Unparsed Events

Apache WebServer Total Message Count

Blue Coat Proxy Syslog All Unparsed Events Blue Coat Proxy Syslog Total Message Count

Blue Coat ProxySG All Unparsed Events

Blue Coat ProxySG Total Message Count

BMC Remedy ARS All Unparsed Events

BMC Remedy ARS Total Message Count

(29)

|

¹⁹

Check Point Interface All Unparsed Events Check Point Interface Firewall Statistics

Check Point Interface Security Events

Check Point Interface System Events

Check Point Interface Total Message Count

Check Point Inerface VPN Events

Cisco ASA All Unparsed Events

Cisco ASA Firewall Statistics

Cisco ASA Security Events

Cisco ASA System Events

Cisco ASA Total Message Count

Cisco ASA VPN Events

Cisco Content Engine All Unparsed Events

Cisco Content Engine Total Message Count

Cisco ESA All Unparsed Events

Cisco ESA Total Message Count

Cisco FWSM All Unparsed Events

Cisco FWSM Firewall Statistics

Cisco FWSM Security Events

Cisco FWSM System Events

Cisco FWSM Total Message Count

Cisco FWSM VPN Events

Cisco IOS All Unparsed Events

Cisco IOS Total Message Count

Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)

(30)

20

|

Cisco IPS All Unparsed Events

Cisco IPS Total Message Count

Cisco ISE All Unparsed Events

Cisco ISE Total Message Count

Cisco NetFlow All Unparsed Events

Cisco NetFlow Total Message Count

Cisco NXOS All Unparsed Events

Cisco NXOS Total Message Count

Cisco PIX All Unparsed Events

Cisco PIX Firewall Statistics

Cisco PIX Security Events

Cisco PIX System Events

Cisco PIX Total Message Count

Cisco PIX VPN Events

Cisco Router All Unparsed Events

Cisco Router Firewall Statistics

Cisco Router Total Message Count

Cisco Secure ACS All Unparsed Events

Cisco Secure ACS Total Message Count

Cisco WSA All Unparsed Events

Cisco WSA Total Message Count

Cisco Switch All Unparsed Events

Cisco Switch Total Message Count

Cisco VPN 3000 All Unparsed Events

(31)

|

²¹

Cisco VPN 3000 Total Message Count

Cisco VPN 3000 VPN Events

Cisco Win ACS All Unparsed Events

Cisco Win ACS Total Message Count

Decru Datafort All Unparsed Events

Decru Datafort Total Message Count

F5 TMOS Total Message Count

Fortinet FortiOS All Unparsed Events

Fortinet FortiOS Total Message Count

General Syslog All Unparsed Events

General Syslog Total Message Count

General TIBCO All Unparsed Events

General TIBCO Total Message Count

Generic W3C All Unparsed Events

Generic W3C Total Message Count

Guardium SQL Guard All Unparsed Events

Guardium SQL Guard Total Message Count

Guardium SQLGuard Audit All Unparsed Events Guardium SQLGuard Audit Total Message Count Guardium SQLGuard Audit All Unparsed Events Guardium SQLGuard Audit Total Message Count

HP NonStop Audit All Unparsed Events

HP NonStop Audit Total Message Count

HP/UX All Unparsed Events

(32)

22

|

HP/UX Total Message Count

HP-UX Audit All Unparsed Events

HP-UX Audit Total Message Count

IBM AIX All Unparsed Events

IBM AIX Total Message Count

IBM AIX Audit All Unparsed Events

IBM AIX Audit Total Message Count

IBM DB2 All Unparsed Events

IBM DB2 Total Message Count

IBM i5/OS All Unparsed Events

IBM i5/OS Total Message Count

ISS RealSecure NIDS All Unparsed Events

ISS RealSecure NIDS Total Message Count

ISS SiteProtector All Unparsed Events

ISS SiteProtector Total Message Count

Juniper Firewall All Unparsed Events

Juniper Firewall Firewall Statistics

Juniper Firewall Security Events

Juniper Firewall System Events

Juniper Firewall Total Message Count

Juniper IDP All Unparsed Events

Juniper IDP Total Message Count

Juniper JunOS All Unparsed Events

Junpier JunOS Firewall Statistics

(33)

|

²³

Juniper JunOS Total Message Count

Juniper RT_Flow All Unparsed Events

Juniper RT_Flow Firewall Statistics

Juniper RT_Flow Total Message Count

Juniper SSL VPN All Unparsed Events

Juniper SSL VPN Total Message Count

Juniper SSL VPN Secure Access All Unparsed Events Juniper SSL VPN Secure Access Total Message Count

KondorPlus All Unparsed Events

KondorPlus Total Message Count

Linux All Unparsed Events

Linux Total Message Count

LogLogic Appliance All Unparsed Events

LogLogic Appliance Total Message Count

LogLogic Database Security Manager All Unparsed Events LogLogic Database Security Manager Total Message Count LogLogic Management Center All Unparsed Events LogLogic Management Center Total Message Count LogLogic Universal Collector All Unparsed Events LogLogic Universal Collector Total Message Count McAfee ePolicy Orchestrator All Unparsed Events McAfee ePolicy Orchestrator Total Message Count

Microsoft DHCP All Unparsed Events

Microsoft DHCP Total Message Count

(34)

24

|

Microsoft DNS All Unparsed Events

Microsoft Exchange 2000/03 All Unparsed Events Microsoft Exchange 2000/03 Total Message Count Microsoft Exchange 2007/10 Application logs All Unparsed Events Microsoft Exchange 2007/10 Application logs Total Message Count Microsoft Exchange 2007/10 Message

Tracking

All Unparsed Events

Microsoft Exchange 2007/10 Message Tracking

Total Message Count

Microsoft Exchange 2007 Pop/Imap All Unparsed Events Microsoft Exchange 2007 Pop/Imap Total Message Count Microsoft Exchange 2007/10 SMTP Receive All Unparsed Events Microsoft Exchange 2007/10 SMTP Receive Total Message Count Microsoft Exchange 2007/10 SMTP Send All Unparsed Events Microsoft Exchange 2007/10 SMTP Send Total Message Count

Microsoft IAS All Unparsed Events

Microsoft IAS Total Message Count

Microsoft IIS All Unparsed Events

Microsoft IIS Total Message Count

Microsoft ISA All Unparsed Events

Microsoft ISA Total Message Count

Microsoft MOM/SCOM All Unparsed Events

Microsoft MOM/SCOM Total Message Count

Microsoft SharePoint All Unparsed Events

Microsoft SharePoint Total Message Count

(35)

|

²⁵

Microsoft SQL Server All Unparsed Events

Microsoft SQL Server Total Message Count

Microsoft SQL Server Application logs All Unparsed Events Microsoft SQL Server Application logs Total Message Count Microsoft SQL Server GDBC All Unparsed Events Microsoft SQL Server GDBC Total Message Count

Microsoft Windows All Unparsed Events

Microsoft Windows Total Message Count

Microsoft Windows Chinese All Unparsed Events Microsoft Windows Chinese Total Message Count Microsoft Windows French All Unparsed Events Microsoft Windows French Total Message Count Microsoft Windows German All Unparsed Events Microsoft Windows German Total Message Count Microsoft Windows Japanese All Unparsed Events Microsoft Windows Japanese Total Message Count Microsoft Windows Korean All Unparsed Events Microsoft Windows Korean Total Message Count

MySQL Server GDBC All Unparsed Events

MySQL Server GDBC Total Message Count

NetApp Filer All Unparsed Events

NetApp Filer Total Message Count

NetApp Filer Audit All Unparsed Events

NetApp Filer Audit Total Message Count

(36)

26

|

NetApp NetCache All Unparsed Events

NetApp NetCache Total Message Count

Nortel Contivity All Unparsed Events

Nortel Contivity System Events

Nortel Contivity Total Message Count

Nortel Contivity VPN Events

Novell eDirectory All Unparsed Events

Novell eDirectory Total Message Count

Oracle Database All Unparsed Events

Oracle Database Total Message Count

Oracle GDBC All Unparsed Events

Oracle GDBC Total Message Count

Other File Device All Unparsed Events

Other File Device Total Message Count

Other UNIX All Unparsed Events

Other UNIX Total Message Count

Palo Alto Networks PANOS All Unparsed Events Palo Alto Networks PANOS Total Message Count

RADIUS Acct Client All Unparsed Events

RADIUS Acct Client Total Message Count

RADIUS Acct Client VPN Events

RSA ACE Server All Unparsed Events

RSA ACE Server Total Message Count

Sidewinder All Unparsed Events

(37)

|

²⁷

Sidewinder Firewall Statistics

Sidewinder Total Message Count

SiteMinder All Unparsed Events

SiteMinder Total Message Count

SiteProtector All Unparsed Events

SiteProtector Total Message Count

Snort All Unparsed Events

Snort Total Message Count

Sourcefire All Unparsed Events

Sourcefire Total Message Count

Sourcefire Defense Center All Unparsed Events Sourcefire Defense Center Total Message Count

Squid All Unparsed Events

Squid Total Message Count

Sun Solaris All Unparsed Events

Sun Solaris Total Message Count

Sun Solaris BSM All Unparsed Events

Sun Solaris BSM Total Message Count

Sybase ASE All Unparsed Events

Sybase ASE Total Message Count

Symantec AntiVirus All Unparsed Events

Symantec AntiVirus Total Message Count

Symantec Endpoint Protection All Unparsed Events Symantec Endpoint Protection Total Message Count Table 10 Log Source Report Mapping by Device Type – Operational (Cont’d)

(38)

28

|

TIBCO ActiveMatrix Administrator All Unparsed Events TIBCO ActiveMatrix Administrator Total Message Count

TIBCO Administrator All Unparsed Events

TIBCO Administrator Total Message Count

TIBCO Business Works All Unparsed Events

TIBCO Business Works Total Message Count

TIBCO EMSC All Unparsed Events

TIBCO EMSC Total Message Count

TIBCO Hawk Agent All Unparsed Events

TIBCO Hawk Agent Total Message Count

TrendMicro Control Manager All Unparsed Events TrendMicro Control Manager Total Message Count TrendMicro OfficeScan All Unparsed Events TrendMicro OfficeScan Total Message Count Tripwire Management Station All Unparsed Events Tripwire Management Station Total Message Count

VMware ESX All Unparsed Events

VMware ESX Total Message Count

VMware Orchestrator All Unparsed Events

VMware Orchestrator Total Message Count

VMware vCenter Total Message Count

VMware vCenter All Unparsed Events

VMware vCloud Director Total Message Count

VMware vShield Total Message Count

(39)

|

²⁹

z/OS RACF All Unparsed Events

z/OS RACF Total Message Count

Table 11 Log Source Report Mapping by Device Type – Policy Reports

Check Point Interface Rules/Policies

Juniper Firewall Rules/Policies

LogLogic Appliance Network Policies

Microsoft SharePoint ECM Policy

Nortel Contivity Rules/Policies

Table 12 Log Source Report Mapping by Device Type – Storage Systems Activity

NetApp Filer Filer Access

NetApp Filer Audit Filer Access

Table 13 Log Source Report Mapping by Device Type – Threat Management

All IDS/IPS Activity

All HIPS Activity

Cisco ASA IDS/IPS Activity

Cisco ASA Security Summary

Cisco ESA Threat Activity

(40)

30

|

Cisco ESA Configuration Activity

Cisco ESA Scan Activity

Cisco ESA Security Summary

Cisco FWSM IDS/IPS Activity

Cisco IOS IDS/IPS Activity

Cisco IPS Security Summary

Cisco ISE Secuirty Summary

Cisco NXOS Security Summary

Cisco NXOS2 Security Summary

Cisco IPS IDS/IPS Activity

Cisco PIX IDS/IPS Activity

Cisco Secure ACS Security Summary

Cisco WSA Security Summary

F5 TMOS Security Summary

Fortinet FortiOS IDS/IPS Activity

Fortinet FortiOS Threat Activity

Guardium SQL Guard DB IPS Activity

Guardium SQLGuard Audit DB IPS Activity

ISS RealSecure NIDS IDS/IPS Activity

ISS SiteProtector IDS/IPS Activity

Juniper IDP IDS/IPS Activity

Juniper JunOS IDS/IPS Activity

McAfee ePolicy Orchestrator Configuration Activity McAfee ePolicy Orchestrator HIPS Activity

Table 13 Log Source Report Mapping by Device Type – Threat Management (Cont’d)

(41)

|

³¹

McAfee ePolicy Orchestrator Scan Activity McAfee ePolicy Orchestrator Threat Activity Palo Alto Networks PANOS IDS/IPS Activity Palo Alto Networks PANO Threat Activity

SiteProtector IDS/IPS Activity

Snort IDS/IPS Activity

Sourcefire IDS/IPS Activity

Sourcefire Defense Center IDS/IPS Activity

Symantec AntiVirus Configuration Activity

Symantec AntiVirus Scan Activity

Symantec AntiVirus Threat Activity

Symantec Endpoint Protection Threat Activity Symantec Endpoint Protect Configuration Activity Symantec Endpoint Protection HIPS Activity

Symantect Endpoint Protection Scan Activity Symantect Endpoint Protection Security Summary TrendMicro Control Manager Threat Activity

TrendMicro OfficeScan Threat Activity

Table 13 Log Source Report Mapping by Device Type – Threat Management (Cont’d)

Table 14 Log Source Report Mapping by Device Type – Flow Activity

All Application Usage

All User Browsing Statics

(42)

32

|

All Top Users

Cisco NetFlow Application Usage

Cisco NetFlow User Browsing Static

Cisco NetFlow Top Users

Table 14 Log Source Report Mapping by Device Type – Flow Activity

TIBCO LogLogic® Log Management Intelligence (LMI) Log Source Report Mapping Guide