Test

Release Notes

ArcSight™ SmartConnector™

Release 4.7.4.5335

July 10, 2009

ArcSight Confidential

Release Notes ArcSight™ SmartConnector™

Release 4.7.4.5335

July 10, 2009

Copyright © 2009 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight

Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern

Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight,

Inc. All other brands, products and company names used herein may be trademarks of their respective owners.

Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:

http://www.arcsight.com/company/copyright/ .

This document is ArcSight Confidential.

SmartConnector Release 4.7.4.5335 Release Notes Page ii

http://www.arcsight.com/company/copyright/


SmartConnector Release 4.7.4.5335 Release Notes Page iii

Contents SmartConnector Release 4.7.4.5335 ...............................................................................................1

Important Note for Versions of ArcSight Manager Prior to 3.5 SP3..................................................1 To Apply This Release..............................................................................................................1

New Connectors...........................................................................................................................1 Connectors with New Device Versions Supported ..............................................................................1 SmartConnector Enhancements......................................................................................................2 Connector End-of-Life Notices ........................................................................................................2 Issues Closed ..............................................................................................................................3 Available Beta Support..................................................................................................................4

Beta SmartConnectors.............................................................................................................4 Scanner FlexConnectors...........................................................................................................5

Known Issues or Limitations ..........................................................................................................5 New and Updated SmartConnector Documentation............................................................................7

SmartConnector Release 4.7.4.5335

These notes describe how to apply this latest release of ArcSight's SmartConnectors, as well as providing other information about recent changes and open and closed issues.

Important Note for Versions of ArcSight Manager Prior to 3.5 SP3

Do not install this new SmartConnector release until you complete these steps.

As announced previously, for easy reference, SmartConnector versioning now reflects the timing of each release. If you are running versions of ArcSight ESM Manager prior to version 3.5 SP3, make the following modifications to ensure that zones and categorizations match up and install properly. Modify these properties in the config/server.properties file in your ArcSight ESM Manager version 3.5 pre-SP3 installation:

zone-mapping.aup.agent.version.max=9.9.9.9999.7 console-category.aup.agent.version.max=9.9.9.9999.7

Restart the ArcSight Manager for this change to take effect.

If you will be upgrading your ArcSight ESM Manager in the near future, by waiting until that time to install this SmartConnector release, you can avoid an additional ArcSight ESM Manager restart.

To Apply This Release

Download the appropriate executable for your platform as well as the zipped file of SmartConnector Configuration Guides for the release. For a successful SmartConnector installation, follow the installation procedures documented in the individual SmartConnector Configuration Guides.

To ensure the most current configuration guides are available with each SmartConnector release, they are offered in a separate downloadable file from the ArcSight Customer Support site rather than as part of the SmartConnector installation process. Create a folder for the documentation (such as c:\ArcSight\Docs) and unzip the file there. Then double-click index.html to access the individual configuration guides.

To keep support information current, each SmartConnector Configuration Guide contains a link to a separate document entitled "SmartConnector Product and Platform Support." You also can access this document from the index.html or SmartConnectorReadMe.htm file downloaded with the documentation.

New Connectors SmartConnector for Device Version Supported

Solaris Basic Security Module Syslog 10

Connectors with New Device Versions Supported SmartConnector for Device Version Supported

Check Point FW-1/VPN-1 OPSEC NG R70

Juniper NetScreen IDP Syslog 4.1 – 5.0

McAfee FoundScan DB 6.7

McAfee IntruShield Manager Syslog 5.1

Qualys Vulnerability Scanner 6.5.118-1

SmartConnector Release 4.7.4.5335 Release Notes Page 1


Connectors with New Product Support SmartConnector for New Product Supported

McAfee ePolicy Orchestrator DB Rogue System Detection v2.0 with ePO 4.0 Rogue System Detection v1.0 with ePO 3.6

SmartConnector Enhancements In each SmartConnector release, updates and enhancements are made to the field mappings for individual SmartConnectors. If you use any of the SmartConnectors listed in the "Issues Closed" section of these release notes, be aware that installing the updated SmartConnector can impact your created content.

ArcSight advises you to verify your content before deploying the SmartConnector into your production environment.

FIPS Compliance Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for government-wide use.

ArcSight has added support for SmartConnector installation in FIPS-compliant mode. See the connectors under New and Updated SmartConnector Documentation for a list of connectors with this new support.

McAfee ePolicy Orchestrator DB Added support for HIPS, Rogue System Detection, and MA events. See the SmartConnector Configuration Guide for specific products and versions now supported.

Microsoft DHCP File Added support for processing of multiple log files.

Symantec Endpoint Protection DB Added support for Network Access Control events.

Connector End-of-Life Notices Symantec Endpoint Protection Syslog – Support ending 12/31/2009

Currently, ArcSight supports Symantec Endpoint Protection through two integration points—Syslog and Microsoft SQL Server Database. While a syslog-based connector generally provides benefits such as ease of use, it has been discovered over time that the Symantec Endpoint Protection syslog does not offer the level of normalization necessary for effectively building and maintaining a connector.

Symantec Endpoint Protection integrates multiple endpoint security components into one integrated solution. For every component (AntiVirus, Spyware, Network Threat Protection, and so on) there could be many different event types , necessitating the development of sub-message patterns for each of the event types. The Microsoft SQL database, on the other hand, allows one query to be built for each component, making a database connector a much more viable and scalable integration solution.

Given its technical limitation, we have decided to phase out support for Symantec Endpoint Protection event collections via syslog. Although we will continue to invest in and enhance the database connector, our current plan is to discontinue support for the syslog-based Symantec Endpoint Protection connector by December 31, 2009. ArcSight strongly encourages customers who are currently using this syslog connector to migrate to the Symantec Endpoint Protection DB connector in the next few months. In the meantime, any parsing issues with the syslog connector will be handled on a case-by-case basis.



Check Point Firewall-1 4.1 OPSEC This connector has reached end of life and has been removed from SmartConnector builds.

Cisco PIX/ASA/FWSM Syslog Support for version 5.x has been removed.

Issues Closed

SmartConnector for Number Description

All SmartConnectors 58006 Entries in the name resolver cache normally are refreshed after the Time To Live (TTL), but if that refresh is substantially delayed, the normal algorithm disregards the cached value after double the TTL. There is a new property (name.resolver.cache.no.ttl) that can be set in agent.properties. When this property is set to true, the name resolver cache entries will continue to be used indefinitely.

All SmartConnectors 56959 Previously, aggregation could cause memory issues and a null pointer exception. This problem has been fixed.

55963 When s-ip was populated with an IP address (s-ip can contain an IP or a web URL) and the connector did the resolution, a device was created for what was a target host. This resulted in a device being created for every website or host accessed through the Blue Coat proxy, causing issues with managers and databases. This problem has been fixed.

Blue Coat Proxy SG File

56915 Previous problems with URL and URI field resolution have been fixed.

Check Point FW-1/VPN-1 OPSEC NG

29167 Updated severity mappings for the Check Point AD connector. See the SmartConnector for Check Point FW-1/VPN-1 OPSEC NG Configuration Guide for detailed mapping information.

Cisco Secure ACS 56813 The ESM Manager previously threw an exception due to a long additional data name sent from the connector. The connector has been modified to fix this problem.

Fortinet FortiGate Syslog 57333 An exception was thrown when a comma appeared where only integers were expected. The parser has been updated to fix this problem.

Rapid7 NeXpose XML File 45363 The connector no longer creates assets with blank Host Name fields.

IBM Lotus Domino DB 51709 The parser has been updated to fix problems that previously caused a fatal exception at connector startup.

McAfee ePolicy Orchestrator DB McAfee HIPS DB McAfee HIPS Multiple DB

57190 When running connectors for both McAfee ePO DB and McAfee HIPS DB that pull events from the same database, some event duplication previously occurred. The McAfee HIPS DB connectors no longer collect anti-virus events. The McAfee ePolicy Orchestrator DB connector now collects HIPS events. See the SmartConnector Configuration Guides for more information.

MessageGate Syslog 56767 Previously, the connector set the Device Receipt Time year to 1970 for MessageGate events without a date | time. This problem has been fixed.

53335 SID translation for security events 538, 540, and 576 previously did not occur. This problem has been fixed.

Microsoft Windows Event Log – Unified

54480 Previously, SID translation failed when the SID contained double hyphens. This problem has been fixed.




SmartConnector for Number Description

56002 The connector now continues to map correctly, even when the 'Reason' field is missing from the raw event for security event 529.

56254 Workstation Name and Source Address fields are now mapped correctly for security event 537 events.

57249 Mapping problems for security event 565 have been fixed.

Microsoft Windows Event Log – Unified

57157 Implemented SID re-translation and multi-threaded SID translation.

NIKSUN NetDetector Syslog

56811 The parser has been updated to accommodate previously unparsed events.

Oracle Audit DB 58319 The connector was not verifying connection with all configured databases during connector configuration. This problem has been fixed.

58363 Previously, when the connector was configured to connect to multiple databases, it connected only to the last configured database. This problem has been fixed.

Symantec Endpoint Protection DB

57004 The following mappings have been updated:

Allowed or Blocked is mapped to Device Action

HOST_NAME is mapped to Device Custom String 2

LOCATION_NAME is mapped to Device Custom String 5.

Symantec Endpoint Protection Syslog

57393 A parser problem discovered with Security Risk Found (Heuristic Scan) events has been fixed.

Tenable Nessus File 50148 The parser has been modified to parse multiple OS occurrences.

Available Beta Support For the enhancements or fixes for SmartConnectors listed in this section, formal release after testing and documenting will be available in a future SmartConnector release. It is up to your discretion whether to update your installed connectors with this build. Contact ArcSight Customer Support for more information if you are interested in any of these items.

Localization for Microsoft Windows Event Log – Unified Connector Beta support has been added for the localization of security events for the Simplified and Traditional Chinese, French, and Japanese languages.

FlexConnector for Multiple Database Instances Beta support is provided to correct a problem in which, for the multiple database connector, events from a database table that uses negative BIGINT IDs were not collected, or events from a database table that uses positive BIGINT IDs were collected repeatedly.

Red Hat Enterprise Linux 5.3 (RHEL 5) AS 64-bit JVM Beta support for this platform is available.

nCircle Scanner XML3 File Beta support for device version 6.8.

Beta SmartConnectors

SmartConnector for Lancope SMC Web Services This SmartConnector obtains flows, probes, and host snapshots from Lancope StealthWatch Management Console (SMC) and can, optionally, generate ArcSight events. Lancope SMC version 5.8 is supported.


Scanner FlexConnectors ArcSight FlexConnector Developer's Guide for complete information on Scanner FlexConnector beta support for the following:

• ArcSight FlexConnector for Scanner DB • ArcSight FlexConnector for Scanner Text Reports • ArcSight FlexConnector for Scanner XML Reports

Known Issues or Limitations ArcSight FlexConnector CounterACT

When "ArcSight FlexConnector CounterACT" is selected for installation, a popup window asks whether you want to use the configuration wizard to define the CounterACT commands. Answering "Yes" causes an error that shuts down connector installation. Select "No" for successful installation of the FlexConnector. When "No" is selected, the installation sequence asks for the CounterACT properties file name, which should have already been authored manually. This problem will be fixed in a future SmartConnector release.

ArcSight Threat Response Manager CounterACT If you install the CounterACT connector on a system running Java JRE 1.6, perform these steps on that system after installation is complete:

In the following procedure, ARCSIGHT_HOME is the directory where the CounterACT connector software is installed.

On Linux or Unix:

1. In the ARCSIGHT_HOME/jre6/lib directory, create a sub-directory called endorsed with read, write, and execute permissions.

2. Copy the ARCSIGHT_HOME/lib/agent/saaj.jar file to the sub-directory called endorsed, which you created in step 1.

On Windows:

1. In the ARCSIGHT_HOME\jre6\lib directory, create a sub-directory called endorsed with read, write, and execute permissions.

2. Copy the ARCSIGHT_HOME\lib\agent\saaj.jar file to the sub-directory called endorsed, which you created in step 1.

Aruba Mobility Controller Syslog Due to Aruba product limitations, the Aruba Networks Mobility Controller syslog messages can only be processed by the syslog daemon connector, not by the syslog pipe or syslog file connector. The SmartConnector processes the security events only.

Cisco CiscoWorks The ArcSight SmartConnector for CiscoWorks Syslog supports a limited set of syslog messages originating from a specific CiscoWorks component. Full CiscoWorks syslog support will be certified in an upcoming SmartConnector release.

Cisco NetFlow File The connector currently listens to all traffic on the specified port rather than by individual IP address. This issue is being addressed and will be fixed in a future SmartConnector release.

DB SmartConnectors on Windows Server 2003 R2 Enterprise x64 that use ODBC System DSN We have found that the JDBC/ODBC bridge driver "sun.jdbc.odbc.JdbcOdbcDriver" does not work with the ODBC System data sources created using Control Panel -> Administrative Tools -> Data Sources (ODBC) on the Windows Server 2003 R2 64-bit platform. To use this driver, create ODBC System data sources using the executable at c:\Windows\SysWOW64\odbcad32.exe. This opens up the same type of graphical user interface as the Control Panel -> Administrative Tools -> Data Sources (ODBC), but it creates the Data sources using the 32-bit drivers.



IBM Lotus Domino DB ArcSight has identified a potential problem with the IBM Domino ODBC driver that can cause data duplication when using ArcSight’s SmartConnector for IBM Lotus Domino DB. We have been able to reproduce a customer issue in which the Domino connector can inadvertently send duplicate data to the ArcSight ESM Manager or ArcSight Logger. This SmartConnector uses IBM’s Domino ODBC driver to retrieve data from the Domino server; ArcSight has traced the issue to an incorrect result set returned by this ODBC driver. Based upon our lab testing, the issue may be related to large log.nsf files (a file size of 1.6Gb in our lab, but size might depend upon Domino’s server hardware).

This cause for this data duplication issue has not yet been confirmed with IBM, but we are currently seeking their assistance. In our lab, once the log was cleaned up, reducing its size in the process, the problem disappeared and IBM’s Domino ODBC driver started returning correct result sets. Until we receive further information from IBM regarding this issue, customers are advised to periodically monitor the data sent by the connector and, in particular, the size of the log.nsf file to make sure it does not grow too large.

The SmartConnector for IBM Lotus Domino SNMP has been developed for situations in which this known issue occurs.

Lancope SMC Web Services – Beta ArcSight Lancope SMC Web Services connector logs the inaccurate message ‘Failed to execute command’ in agent.log and also sends an internal ArcSight event for this, even when the command is successfully executed and receives the response from the connector. This is only a case of inaccurate logging of an inaccurate internal event and has no impact on the connector's command response and event generating capabilities.

Microsoft ISA Multiple Server File The SmartConnector for Microsoft ISA Multiple Server cannot be run as a service when it is run remotely.

Microsoft Windows Event Log — Unified The following known limitations exist for the current release of this connector:

♦ In some cases, the description of specific Windows events may not be captured into individual ArcSight event fields. When this happens, the missing information is captured in the Raw Event field and the agent log displays a warning that it has received an unmatched number of keys and values for a particular Windows event ID. This can be addressed by a parser fix. See the "Troubleshooting" section for an example of how to resolve these key values.

♦ SID translation is supported on a best-effort basis, but there may be a few instances when SIDs cannot be

successfully translated. This could happen due to network issues, the host could be busy and may not respond, or the SID could be unresolvable, which results in the connector being unable to translate the SID. The connector attempts to translate all the SIDs by default. If the first translation attempt fails, the connector retries three times. If translation still fails, SID translation can be enabled in multi-threaded mode by setting the parameter sidguidtranslationmultithreaded to true. See "Troubleshooting" or "Advanced Common Configuration Parameters for SID Translation" for more configuration information.

♦ GUID translation is not currently supported.

Solsoft Version Support The Solsoft CounterAct SmartConnector may not work with Solsoft version 7.0.2 and later versions.

As of connector release 4.7.1.5233, a newer version of Apache AXIS library is being used for the web services client. This could affect the operation of the SmartConnector for Solsoft CounterAct, which used an older version of the Apache AXIS library. The workaround for this problem is to rename the library file named all-axis-libs.jar under lib/agent/axis to another name (for example, all-axis-libs.jar.bak).

Symantec Endpoint Protection Syslog For some Network Thread Detection events, there may be none, one, or multiple sets of IP information for the same host. Currently, for such events, the host name and IP address is not mapped to the destination host name and address fields; the entire network information is mapped to the message field. Sub-parsing and mapping of these events to the appropriate fields will be available in a future SmartConnector release.



New and Updated SmartConnector Documentation The following SmartConnector documentation has been added or updated for this release.

Technical Notes for Installing FIPS-Compliant SmartConnectors Technical notes describing the process for installing FIPS-compliant connectors are provided via hot links in the applicable SmartConnector configuration guides.

Aladdin eSafe Gateway File Updated mapping information and global update to installation procedure for FIPS support.

Blue Coat Proxy SG File Added new Device Address mapping to x-bluecoat-proxy-primary-address for all supported log types; added configuration information for including this field. Updated field mappings. Removed configuration steps for getting AV events through this connector; this function is not available at this time. Global update to installation procedure. Global update to installation procedure for FIPS support.

Check Point FW-1/VPN-1 OPSEC NG Added support for Check Point FW-1/VPN-1 OPSEC NG R70. Global update to installation procedure for FIPS support. Updated severity mappings for Advanced Security Log.

Cisco PIX/ASA/FWSM Syslog Removed support for version 5.x. Global update to installation procedure for FIPS support.

Juniper NetScreen IDP Syslog Added support for NetScreen versions 4.1 - 5.0. Global update to installation procedure for FIPS support.

McAfee ePolicy Orchestrator DB Added support for Rogue System Detection and MA events. Integrated HIPS event coverage into ePO DB connector. Global update to installation procedure for FIPS support. Reference added for JDBC driver Connector Appliance upload information.

McAfee FoundScan DB Added support for FoundScan version 6.7. Reference added for JDBC driver Connector Appliance upload information.

McAfee IntruShield Manager Syslog Added support for McAfee Network Security Manager v5.1 events. Global update to installation procedure for FIPS support.

Microsoft IIS File Added Request URL File Name field mapping. Global update to installation procedure for FIPS support.

Microsoft DHCP File Added support for multiple log files. Global update to installation procedure for FIPS support.

Microsoft Windows Event Log – Unified Updated Features and Enhancements and Known Limitations for SID translation updates. Added "Advanced Common Configuration Parameters for SID Translation" and updated Troubleshooting. Added beta support for the localization of security events for the Simplified and Traditional Chinese, French, and Japanese languages.

NetContinuum Web Firewall Syslog Updated mappings information and global update to installation procedure for FIPS support.

Qualys Vulnerability Scanner DB Added support for version 6.5.118-1.

Rapid7 NeXpose File Updated field mappings and global update to installation procedure for FIPS support.

RSA ClearTrust File Updated mapping information and global update to installation procedure for FIPS support.



Solaris Basic Security Module Syslog New configuration guide for new connector. Includes global update to installation procedure for FIPS support.

Sun ONE Web Access Server Updated mapping information and global update to installation procedure for FIPS support.

Symantec Endpoint Protection DB Support added for Network Access Control events. Global update to installation procedure for FIPS support. Reference added for JDBC driver Connector Appliance upload information.

The following configuration guides have been updated for FIPS support and to have a new reference to the ArcSight Connector Appliance Administrator's Guide for JDBC driver upload instructions.

SmartConnectors using Microsoft SQL Server 2005 JDBC drivers with encryption enabled cannot be installed in FIPS-compliant mode.

ActivCard AAA Server DB

Application Security AppDetective DB

eEye REM Security Management Console

eEye Retina Network Security Scanner (DSN-Based)

Harris STAT Scanner DB

IBM/ISS ICEcap Manager DB

IBM/ISS Internet Scanner DB

IBM/ISS RealSecure DB

IBM/ISS Site Protector DB

Intrusion SecureNet Provider DB

Lumension PatchLink Scanner DB

McAfee Desktop Firewall DB

McAfee ePO Asset Scanner DB

McAfee Host Intrusion Prevention DB

McAfee Host Intrusion Prevention Multiple DB

Microsoft Audit Collection System DB

Microsoft Operations Manager DB

Microsoft SQL Server Audit DB (Legacy)

Microsoft SQL Server Multiple Instance Audit DB

NetIQ Security Manager DB

Quest InTrust for Windows DB

Symantec Critical System Protection DB

Symantec ManHunt DB

Trend Micro Asset Scanner DB

Trend Micro Control Manager NG DB

The following configuration guides have been updated to add a link to installation information for FIPS compliant connectors.

AirDefense Enterprise Syslog

Apache HTTP Server Access Log

Apache HTTP Server Error Log

Apache HTTP Server Syslog



Arbor Networks Peakflow Syslog

ArcSight Common Event Format Syslog

ArcSight Common Event Format File

ArcSight Logger Streaming Connector

Aruba Mobility Controller Syslog

BEA WebLogic Server File

Blue Coat Proxy SG Syslog

Bro IDS File

CA eTrust SiteMinder File

CA Top Secret for z/OS File

Check Point Firewall-1 SAM

Check Pont Firewall-1 SNMP

Check Point FW-1/VPN-1 OPSEC NG (Legacy)

Cisco Catalyst OS Syslog

Cisco CiscoWorks Syslog

Cisco IDS RDEP

Cisco IPS SDEE

Cisco IronPort Email Security File

Cisco IronPort Email Security Syslog

Cisco IronPort Web Security File

Cisco Mobility Services Engine Syslog

Cisco PIX SNMP

Cisco Router Syslog

Cisco Secure ACS File

Cisco Secure ACS Syslog

Cisco Secure IDS Post Office

Cisco Security Agent File

eEye Retina Network Security Scanner DB

eEye Retina Network Security Scanner (RTD5) DB

Enterasys Dragon Export Tool File

Enterasys Dragon Server SNMP

F-Secure Anti-Virus File

Fortinet Fortigate Syslog

HoneyD Syslog

HP OpenVMS File

HP ProCurve Ethernet Switch SNMP

HP-UX Audit File

IBM AIX Audit File

IBM AS/400 Audit Journal File

IBM DB2 UDB Audit File

IBM Lotus Domino DB

IBM Lotus Domino SNMP

IBM Lotus Domino Web Server File

IBM NVAS for z/OS File



IBM NVAS Session for z/OS File

IBM RACF for z/OS File

IBM SDSF System Log for z/OS File

IBM System Log for z/OS File

IBM Tivoli Access Manager File

IBM Tivoli Access Manager XML File

IBM WebSphere File

IDMEF XML File

Ingrian DataSecure Syslog

Intersect Alliance SNARE for Windows Syslog

Intrusion Computer Misuse Detection System File

Intrusion SecureNet Provider SNMP

iPolicy Intrusion Prevention Firewall Syslog

ISC BIND Syslog

ISC DHCP Syslog

Juniper M Series Routers Syslog

Juniper NetScreen OS Syslog

Juniper NetScreen Security Manager Syslog

Juniper NetScreen SSL VPN Syslog

Juniper Steel-Belted Radius File

Lancope StealthWatch Syslog

Lucent Brick Managed Services File

Lumeta IPsonar File

Mazu Profiler DB

Mazu Profiler V3 DB

McAfee Antivirus VirusScan File

McAfee Entercept API

McAfee Entercept DB

McAfee IntruShield DB

McAfee Secure Internet Gateway Syslog

MessageGate Syslog

Microsoft Auditing Collection System

Microsoft Exchange Message Tracking Log File

Microsoft IAS File

Microsoft IIS Multiple Server File

Microsoft IIS Multiple Site File

Microsoft IIS Syslog

Microsoft ISA Multiple Server File

Microsoft ISA Server File

Microsoft ISA Server 2004 File

Mirage CounterPoint Syslog

Nagios Syslog

nCircle Scanner SNMP

nCircle Scanner XML2 File



Network Appliance NetCache File

Newbury WiFi WatchDog Syslog

NFR Central Management and Sentivist Servers File

NFR Central Management Server File

NFR Host Intrusion Detection DB

NIKSUN NetDetector Syslog

NitroSecurity IPS Syslog

Nmap XML File

Nortel Contivity Switch Syslog

Novell Nsure Audit DB

Oblix NetPoint File

Oracle Audit DB

Oracle Audit Syslog

Oracle SYSDBA Audit Syslog

OVAL XML File

PureSight Content Filter DB

QoSient ARGUS

Radware DefensePro Syslog

RSA ACE Server Syslog

SaberNet NTSyslog Syslog

SANA Primary Response SNMP

SAINT Vulnerability Scanner

SAP Audit File

SAP Real-Time Audit File

SAP Real-Time Multiple Folder Audit File

Secure Computing Gauntlet Syslog

Secure Computing IronMail Syslog

Secure Computing SafeWord Premier Access File

Secure Computing Sidewinder Syslog

Securify SecurVantage SNMP

Sendmail Syslog

Snort DB

Snort File

Snort IDS (Barnyard) File

Snort Multiple File

Solaris Basic Security Module File

SonicWALL Firewall Syslog

Sourcefire Defense Center eStreamer

Sourcefire/Snort Sensor Syslog

Squid Proxy Server File

Stonesoft StoneGate Firewall Syslog

Sun ONE Directory Multiple Server File

Sun ONE Directory Server File

Sybari Antigen for Microsoft Exchange DB




Sybase Adaptive Server Enterprise DB

Symantec AntiVirus Corporate Edition File and Multiple File

Symantec Endpoint Protection Syslog

Symantec Enterprise Firewall File

Symantec Enterprise Firewall SNMP

Symantec Enterprise Security Manager DB

Symantec ESM Reporting DB

Symantec Gateway Security/Enterprise Firewall File

Symantec Gateway Security/Enterprise Firewall NG File

Symantec Intruder Alert File

Symantec Intruder Alert SNMP

Symantec Mail Security Syslog

Symantec ManHunt Syslog

Symantec NetRecon NRD File

Symantec Network Security Syslog

Symantec SESA DB

Tenable Nessus NSR File

Tenable Nessus XML File

Tenable Nessus XML for Windows

TippingPoint UnityOne Syslog

TopLayer Attack Mitigator Syslog

Tripwire Enterprise Syslog

Tripwire Manager File

Type80 SMA_RT Syslog

Unix Login/Logout

VarySys PacketAlarm Syslog

Visionael Security Audit DB

Vontu CEF Syslog

Vormetric CoreGuard Syslog

Websense Web Security Suite SNMP

Webwasher CSM File

Test

Documents

Transcript of Test