Syslog - Nozomi Networks Guardian CEF

Device Details

Vendor	Nozomi Networks
Device Type	Network Security (ICS/SCADA)
Supported Model Name/Number	Nozomi Networks Guardian
Supported Software Version(s)	20.0.0
Collection Method	Syslog
Configurable Log Output?	Yes (CEF, LEEF, JSON)
Log Source Type	Syslog - Nozomi Networks Guardian CEF
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	https://www.nozominetworks.com/

Prerequisites

Common Event Format (CEF) configuration, where message formatting is defined as the following:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Currently Supported Log Types

Type	Product Version	Supported Schema Fields
Audit Messages	20.0.0	<version>, <vmid>, <command>, <severity>, <useragent>, <vendorinfo>, <sip>, <login>
Health Messages	20.0.0	<version>, <vmid>, <command>, <severity>, <vendorinfo>, <tag1>, <status>
Alert & Incident Messages	20.0.0	<version>, <vmid>, <command>, <severity>, <process>, <dip>, <dname>, <dmac>, <dport>, <vendorinfo>, <sip>, <sname>, <smac>, <sport>, <protname>, <sip>, <smac>, <protname>
Catch-All : Level 2	20.0.0	<vmid>, <severity>
Catch-All : Level 1	20.0.0	<severity>

Configure the Device

Set endpoint configuration to Common Event Format (CEF)
Commit changes

Parsed Metadata Fields

Device Field Name	LogRhythm Metadata Field	Value/Data Type
app	<process>	Text/String
CEF prefix field: Device Version	<version>	Numeric
CEF prefix field: Signature ID	<vmid>	Text/String
CEF prefix field: Name	<command>	Text/String
CEF prefix field: Severity	<severity>	Numeric
cs1	<useragent>	Text/String
dhost	<dname>	Text/String
dmac	<dmac>	MAC Address
dpt	<dport>	Numeric
dst	<dip>	IP Address
msg	<vendorinfo>	Text/String
proto	<protname>	Text/String
shost	<sname>	Text/String
smac	<smac>	MAC Address
spt	<sport>	Numeric
src	<sip>	IP Address
Status syntax within msg field	<tag1>	Text/String
Status syntax within msg field	<status>	Text/String
suser	<login>	Text/String