A Configuration of Security Log Sources

Log source specifications and configuration support for log collection.

Database Sources | Host Sources | Security Device Sources | Web Application Server Sources

Database Sources

Vendor	Log Type	Log Location/Name	Supported Versionss	Supported Platform
IBM	IBM DB2 Audit	{inst_home}/sqllib/db2dump/db2diag*.log	-	Linux, AIX, Windows
Microsoft	Microsoft SQL Server Audit	Object Explorer > Security > Audits folder	-	-
MySQL	MySQL Audit Log	/var/lib/mysql/audit*.log	5.5	-
Oracle	Oracle Database Alert	{diagnostic_dest}/diag/rdbms/<db_unique_name>/<instance_name>/trace	12.1	AIX, HPUX, Linux, Solaris, Windows
Oracle	Oracle Database Listener	{log_dir_path}/*.xml	12.1	AIX, HPUX, Linux, Solaris, Windows
Oracle	Oracle Database Audit Trail 11g - .AUD, XML File Audit, Oracle Audit 12c and 18c - .AUD, XML, Unified Audit Trail, Audit Records	{audit_dest}/*.aud	11.2 & 12.1	Linux, Solaris, Windows
Oracle	Oracle TNS Trace	{trace_dir_path}/*.log	12.1	AIX, HPUX, Linux, Solaris, Windows

Host Sources

Vendor	Log Type	File Name/Location	Supported Versions	Supported Platform
IBM	AIX Audit	/audit/*.out	6.1	AIX
Oracle	Linux Audit	/var/log/audit/audit*	-	Linux
Oracle	Linux DHCP	<Configured to write to Syslog>	-	Linux
Oracle	Linux DNS (BIND)	<Configured to write to Syslog>	-	Linux
Oracle	Linux Maillog	/var/log/maillog*	-	Linux
Oracle	Linux Syslog	/var/log/messages*	-	Linux
Oracle	Linux SUDO	/var/log/sudo.log*	-	Linux
CentOS	Linux YUM	/var/log/yum.log*	-	Linux
Microsoft	Microsoft DHCP	%windir%\System32\Dhcp	-	Windows Server
Microsoft	Microsoft Active Directory Audit		208, 2008 R2
Oracle	Solaris Audit	/var/audit/audit*	12.1	Linux, Solaris, Windows
Oracle	Solaris Syslog	<Configured to write to Syslog>	-	Linux
Ubuntu	Ubuntu Secure	/var/log/secure	-	Ubuntu
Ubuntu	Ubuntu Syslog	/var/log/syslog	-	Ubuntu

Security Device Sources

Vendor	Log Type	User	Supported Versions	Supported Platform
Blue Coat	Bluecoat Proxy	/var/log/bluecoat/w3c* & c:\bluecoatLog\w3c*	SGOS 6.5 and later	AIX, HPUX, Linux, Solaris, Windows
Cisco	Cisco ASA Firewall	<Configured to write to Syslog>	9.5	N/A
Cisco	Cisco ASA VPN	<Configured to write to Syslog>	9.5	N/A
Check Point	Check Point Firewall LEA Log Format	-	R77.30	AIX, Linux, Solaris, Windows
F5 Networks	-	/var/log	11	HO-UX, AIX, Linux, Solaris
Fortinet	Fortinet FortiGate Firewall	Configured to write to Syslog: /var/log/Fortinet.*	FortiGate 5.6.0 - 5.2	VMware ESXi v4.0 and newer, Microsoft Hyper-V 2008R2 and newer, Fortinet FortiHypervisor v1.0 and newer
IBM	Qradar Leef	/var/log/qradar.log	-	AIX, Linux, Solaris, Windows
netfilter	ipTables	/var/log/iptables*	-	Linux
Open Source	ipTraffic	/var/log/iptraf/ip_traffic.log	1.3 and later	Linux
Palo Alto Networks	Palo Alto Firewall	-	PAN - OS 7.1	PA-200, PA-500, PA-2000 Series, PA-3020, PA-3050, PA-3060, PA-4000 Series, PA-5000 Series, PA-7050, PA-7080, and all the Virtual Appliances.

Web Application Server Sources

Vendor	Log Type	Log Location/Name	Supported Versions	Supported Platform
Oracle	FMW Oracle Access Manager (OAM) Audit	{oracle_instance}/auditlogs/OAM/{ias_internal_name}/audit*.log	12.1	Linux, Solaris, Windows
Oracle	FMW Oracle HTTP Server (OHS) Access	{ohs_home}/servers/{component_name}/logs/access_log*	11.2	Linux, Solaris, Windows
Oracle	FMW Oracle HTTP Server (OHS) Admin	{ohs_home}/servers/{component_name}/logs/admin_log*	11.2	Linux, Solaris, Windows
Oracle	FMW Oracle Internet Directory (OID) Audit	{oracle_instance}/auditlogs/OID/{ias_internal_name}/audit-pid*.log	12.1	Linux, Solaris, Windows
Oracle	FMW WLS Server Access	{ohs_home}/diagnostics/logs/OHS/{component_name}/access_log*	12.1	Linux, Solaris, Windows
Apache	Tomcat Access	/var/log/<tomcat_version>/access.log	-	Linux, Windows
Apache	Tomcat Catalina V8.5	${catalina_base}/logs/catalina	-	Linux, Windows
Apache	Tomcat Host	/var/log/tomcat7/*.log	-	Linux, Windows
Apache	Tomcat Manager V9	/var/log/<tomcat_version>/manager.log	-	Linux, Windows