The normalizers listed in the table below are included in the KUMA kit.
Normalizer name |
Source of events |
Type |
Comment |
[Example] Apache Access Syslog (Common or Combined Log Format) |
Apache access.log in Common or Combined Log format), with Syslog header |
syslog |
|
[Example] Apache Access file (Common or Combined Log Format) |
Apache access.log in Common or Combined Log format) |
regexp |
Reading file |
[Example] BIND Syslog |
BIND server DNS logs, with Syslog header |
syslog |
|
[Example] BIND file |
BIND server DNS logs |
regexp |
Reading file |
[Example] Bastion SKDPU-GW |
IT Bastion SKDPU system |
syslog |
|
[Example] CEF |
Events in CEF format from arbitrary sources |
cef |
|
[Example] Checkpoint Syslog CEF by CheckPoint |
Checkpoint, normalization based on the vendor's CEF event representation diagram |
syslog |
|
[Example] Checkpoint Syslog basic |
Custom mapping of Checkpoint fields, normalization depending on the type of asset |
syslog |
|
[Example] Cisco Basic |
Cisco ASA base set of events |
syslog |
|
[Example] Cisco ASA Extended v 0.1 |
Cisco ASA base extended set of events |
syslog |
|
[Example] Cisco WSA AccessFile |
Cisco WSA proxy server, access.log file |
regexp |
Reading file |
[Example] Continent DB AlertLog |
Hardware and software encryption system Continent, DB query, AlertLog table |
sql |
|
[Example] Continent DB PacketLog |
Hardware and software encryption system Continent, DB query, PacketLog table |
sql |
|
[Example] Continent DB ServerAccessLog |
Hardware and software encryption system Continent, DB query, ServerAccessLog table |
sql |
|
[Example] Continent DB SystemLog |
Hardware and software encryption system Continent, DB query, SystemLog table |
sql |
|
[Example] CyberTrace |
Kaspersky CyberTrace events |
regexp |
|
[Example] DNS Windows |
Windows DNS server logs |
regexp |
Reading file |
[Example] Dovecot Syslog |
dovecpt server POP3/IMAP logs |
syslog |
|
[Example] Exchange CSV |
Exchange server MTA logs |
csv |
Reading file |
[Example] Fortimail |
Fortimail mail system logs |
regexp |
Only KUMA v 1.5 |
[Example] IIS Log File Format |
Microsoft IIS logs |
regexp |
Reading file |
[Example] IPFIX |
IPFIX format Netflow events |
ipfix |
|
[Example] InfoWatch Traffic Monitor |
DLP system Traffic Monitor by Infowatch |
sql |
|
[Example] KATA |
Kaspersky Anti Targeted Attack |
cef |
|
[Example] KICS4Net v2.x |
Kaspersky Industrial Cyber Security v 2.x |
cef |
|
[Example] KICS4Net v3.x |
Kaspersky Industrial Cyber Security v 3.x |
syslog |
|
[Example] KSC |
Kaspersky Security Center |
cef |
Passive receiving of events from KSC: KUMA is listening to the port, KSC is sending events |
[Example] KSC from SQL |
Kaspersky Security Center |
sql |
Active receiving of events from KSC: KUMA receives events from the KSC DB |
[Example] KSMG |
Kaspersky Security Mail Gateway |
syslog |
|
[Example] Linux audit and iptables Syslog |
Linux events |
syslog |
|
[Example] Linux audit.log file |
Linux events |
regexp |
Reading file |
[Example] Syslog |
Events in Syslog format from arbitrary sources |
syslog |
|
[Example] Syslog-CEF |
Events in CEF format from arbitrary sources, with Syslog header |
syslog |
|
[Example] VipNet Coordinator Syslog |
VipNet Coordinator logs |
syslog |
|
[Example] Windows Basic |
Basic set of Windows Security events |
xml |
|
[Example] Windows Extended v.0.1 |
Extended set of Windows events |
xml |
|
[Example] pfSense Syslog |
pfSence events |
syslog |
|
[Example] pfSense w/o hostname |
Custom pfSence event normalizer (invalid Syslog header format) |
regexp |
|
[Example][Syslog] Continent IPS/IDS & TLS |
Continent intrusion detection system, TSL |
syslog |
Receiving from Syslog |
[Example][regexp] Continent IPS/IDS & TLS |
Continent intrusion detection system, TSL |
regexp |
Reading file |
[Example] NetFlow v5 |
Netflow v5 events |
netflow5 |
|
[Example] NetFlow v9 |
Netflow v9 events |
netflow9 |
|
[Example] MS DHCP file |
Windows DHCP server logs |
csv |
Reading file |
[Example] Nginx regexp |
Nginx log |
regexp |
|
[Example] PA-NGFW (Syslog-CSV) |
Palo Alto logs in CSV format |
csv |
The preferred option for sending logs is CEF format. Logs may only be sent in CSV if sending in CEF is not possible |
[Example] PT WAF |
Web Application Firewall by Positive Technologies |
syslog |
|
[Example] Squid access Syslog |
access.log logs of the Squid proxy server |
syslog |
|
[Example] Squid access.log file |
access.log logs of the Squid proxy server |
regexp |
Reading file |
[Example] Unbound Syslog |
DNS server logs unbount |
syslog |
|