Preset normalizers
To use the updated set of event normalizers for KUMA 2.0:
You can download an archive with the updated set of event normalizers for KUMA 2.0.
Download the archive with the updated set of event normalizers for KUMA 2.0
The archive contains the following files:
- "Normalizers for KUMA 2.0" file that contains normalizers.
- "Normalizer list for KUMA 2.0.xlsx" file that contains the list of normalizers with their types specified.
To make the updated set of normalizers available for use in KUMA, the normalizers must be imported into KUMA after downloading the archive. The import of normalizers involves replacing the original resources provided with KUMA 2.0 with the revised versions, therefore we recommend exporting your resources before proceeding with the import of revised versions.
The password for importing data is mustB3Ch@ng3d!
The normalizers listed in the table below are included in the KUMA kit.
Preset normalizers
Normalizer name |
Event source |
Normalizer type |
Description |
[OOTB] 1C EventJournal Normalizer |
1C registration log. |
xml |
Designed for processing the event log of the 1C system. |
[OOTB] 1C TechJournal Normalizer |
1C technology log. |
regexp |
Designed for processing the technology event log. |
[OOTB] Ahnlab UTM |
System logs, operation logs, connections, IPS |
regexp |
Designed for processing events from the Ahnlab system. |
[OOTB] Apache Access file(Common or Combined Log Format) |
Apache access.log in Common or Combined Log format). |
regexp |
Designed for processing events in the Access log of the Apache web server. The normalizer supports the processing of events in Common or Combined Log formats. |
[OOTB] Apache Access Syslog (Common or Combined Log Format) |
Apache access.log in Common or Combined Log format), with Syslog header. |
syslog |
Designed for processing Apache web server events in Common or Combined formats received via the Syslog protocol. |
[OOTB] Bastion SKDPU-GW |
IT Bastion SKDPU system. |
syslog |
Designed for processing events of the SKDPU NT Access gateway system received via Syslog. |
[OOTB] Bifit Mitigator Syslog |
AntiDDoS events of the Bifit Mitigator solution |
syslog |
Designed for processing events from the DDOS Mitigator protection system received via Syslog. |
[OOTB] BIND Syslog |
BIND server DNS logs, with Syslog header. |
syslog |
Designed for processing events of the BIND DNS server received via Syslog. |
[OOTB] BlueCoat Proxy v0.2 |
BlueCoat proxy server event log |
regexp |
Designed to process BlueCoat proxy server events. |
[OOTB] Checkpoint Syslog CEF by CheckPoint |
Checkpoint, normalization based on the vendor's CEF event representation diagram. |
syslog |
Designed for processing events received from the Checkpoint event source via the Syslog protocol in the CEF format. |
[OOTB] Cisco ASA Extended v 0.1 |
Cisco ASA base extended set of events. |
syslog |
Designed for processing events of Cisco ASA devices. |
[OOTB] Cisco Basic |
Cisco ASA base set of events. |
syslog |
Designed for processing events of network devices with IOS firmware. This normalizer will be removed from the OOTB set after the next release. If you are using this normalizer, you must migrate to the [OOTB] Cisco ASA Extended IOS Basic Syslog normalizer. |
[OOTB] Cisco WSA AccessFile |
Cisco WSA proxy server, access.log file. |
regexp |
Designed for processing the event log of the Cisco WSA proxy server, the access.log file. |
[OOTB] Citrix NetScaler |
Citrix NetScaler events |
regexp |
Designed for processing events from the Citrix NetScaler load balancer. |
[OOTB] CyberTrace |
Kaspersky CyberTrace events. |
regexp |
Designed for processing Kaspersky CyberTrace events. |
[OOTB] DNS Windows |
Windows server DNS logs. |
regexp |
Designed for processing Microsoft DNS server events. |
[OOTB] Dovecot Syslog |
dovecot server POP3/IMAP logs. |
syslog |
Designed for processing events of the Dovecot mail server received via Syslog. |
[OOTB] Eltex MES Switches |
Eltex MES switch events |
regexp |
Designed for processing events from Eltex network devices. |
[OOTB] Exchange CSV |
Exchange server MTA logs. |
csv |
Designed for processing the event log of the Microsoft Exchange system. |
[OOTB] FortiGate KV |
FortiGate logs in Key-Value format. |
regexp |
Designed for processing events from FortiGate firewalls. |
[OOTB] Fortimail |
Fortimail mail system logs. |
regexp |
Designed for processing events of the FortiMail email protection system. |
[OOTB] FreeIPA |
Free IPA Directory Service logs. |
json |
Designed for processing events from the FreeIPA system. |
[OOTB] Huawei Eudemon |
Logs of Huawei Eudemon firewalls. |
regexp |
Designed for processing events from Huawei Eudemon firewalls. |
[OOTB] Huawei USG Basic |
Logs of the main USG modules. |
syslog |
Designed for processing events received from Huawei USG security gateways via Syslog. |
[OOTB] Ideco UTM syslog |
Ideco UTM events |
syslog |
Designed for processing events received via Syslog from Ideco UTM 14.7 and later versions. The normalizer supports events from the following modules: Intrusion prevention, Firewall, Application control, Content filter. The normalizer also supports the following event types: connection via VPN, authentication through the web interface. |
[OOTB] IIS Log File Format |
Microsoft IIS logs. |
regexp |
The normalizer processes events using a regular expression in the format described at https://learn.microsoft.com/en-us/windows/win32/http/iis-logging. |
[OOTB] InfoWatch Traffic Monitor SQL |
DLP system Traffic Monitor by InfoWatch. |
sql |
Designed for processing events received by the connector from the database of the InfoWatch Traffic Monitor system. |
[OOTB] IPFIX |
IPFIX-format Netflow events. |
ipfix |
Designed for processing events in the IP Flow Information Export (IPFIX) format. |
[OOTB] Juniper - JUNOS |
Juniper network equipment logs. |
regexp |
Designed for processing audit events received from Juniper network devices. |
[OOTB] KATA |
Kaspersky Anti Targeted Attack. |
cef |
Designed for processing alerts or events from the Kaspersky Anti Targeted Attack activity log. |
[OOTB] KEDR telemetry |
EDR telemetry tagged by KATA |
json |
Designed for processing Kaspersky EDR telemetry tagged by KATA (kafka, EnrichedEventTopic). |
[OOTB] Kerio Control |
Kerio Control events |
syslog |
Designed for processing events of Kerio Control firewalls. |
[OOTB] KICS4Net v2.x |
Kaspersky Industrial Cyber Security v 2.x. |
cef |
Designed for processing events of Kaspersky Industrial CyberSecurity for Networks version 2. |
[OOTB] KICS4Net v3.x |
Kaspersky Industrial Cyber Security v 3.x. |
syslog |
Designed for processing events of Kaspersky Industrial CyberSecurity for Networks version 3. |
[OOTB] KLMS syslog CEF |
Kaspersky Linux Mail Server mail traffic analysis and filtering systems. |
syslog |
Designed for processing events of Kaspersky Linux Mail Server mail traffic analysis and filtering systems. |
[OOTB] Kolchuga-K syslog |
Events of IVK Kolchuga-K version LKNV.466217.002 |
syslog |
Designed for processing events of the IVK Kolchuga-K system, version LKNV.466217.002. |
[OOTB] KSC |
Kaspersky Security Center. |
cef |
Designed for processing Kaspersky Security Center events received via Syslog. |
[OOTB] KSC from SQL |
Kaspersky Security Center, queries to the MS SQL database. |
sql |
Designed for processing events received by the connector from the database of the Kaspersky Security Center system. |
[OOTB] KSMG |
Kaspersky Security Mail Gateway. |
syslog |
Designed for processing events of Kaspersky Security Mail Gateway. |
[OOTB] KUMA forwarding |
KUMA |
json |
Designed for processing events forwarded from KUMA. |
[OOTB] KWTS (KV) |
KWTS logs if sent in Key-Value format. |
syslog |
Designed for processing events in Kaspersky Web Traffic Security for Key-Value format. |
[OOTB] KWTS syslog CEF |
KWTS events. |
syslog |
Designed for processing events of the Kaspersky Web Traffic Security (KWTS) 6.1 web traffic analysis and filtering system received via Syslog in CEF format. |
[OOTB] Linux audit and iptables Syslog |
Linux events. |
syslog |
Designed for processing events of the operating system. This normalizer will be removed from the OOTB set after the next release. If you are using this normalizer, you must migrate to the [OOTB] Linux audit and iptables Syslog v1 normalizer. |
[OOTB] Linux audit and iptables Syslog v1 |
Linux events. |
syslog |
Designed for processing events of the operating system. This normalizer will be removed from the OOTB set after the next release. If you are using this normalizer, you must migrate to the [OOTB] Linux audit and iptables Syslog v1 normalizer. |
[OOTB] Linux audit.log file |
Linux events. |
regexp |
Designed for processing security logs of Linux operating systems received via Syslog. |
[OOTB] MariaDB Audit plugin syslog |
MariaDB Audit Plugin events. |
syslog |
Designed for processing events of the MariaDB Audit Plugin for MariaDB, MySQL 5.7, received via Syslog. |
[OOTB] MS DHCP file |
Windows server DHCP logs. |
regexp |
Designed for processing Microsoft DHCP server events. |
[OOTB] Minerva EDR |
Minerva EDR events |
regexp |
Designed for processing events from the Minerva EDR system. |
[OOTB] NetFlow v5 |
Netflow v5 events. |
netflow5 |
Designed for processing events from Netflow version 5. |
[OOTB] NetFlow v9 |
Netflow v9 events. |
netflow9 |
Designed for processing events from Netflow version 9. |
[OOTB] Nginx regexp |
Nginx log. |
regexp |
Designed for processing Nginx web server log events. |
[OOTB] Oracle Audit Trail |
Oracle database table |
sql |
Designed for processing database audit events received by the connector directly from an Oracle database. |
[OOTB] OrionSoft zVirt Syslog |
Events of the OrionSoft zVirt virtualization system |
regexp |
Designed for processing events of the OrionSoft zVirt virtualization system. |
[OOTB] PA-NGFW (Syslog-CSV) |
Palo Alto logs in CSV format. |
syslog |
Designed for processing events from Palo Alto Networks firewalls received via Syslog. |
[OOTB] PTC Winchill Fracas |
Winchill Fracas events |
regexp |
Designed for processing events of the Windchill FRACAS failure registration system. |
[OOTB] PTsecurity ISIM |
Positive Technologies ISIM events |
regexp |
Designed for processing events from the PT Industrial Security Incident Manager system. |
[OOTB] pfSense Syslog |
pfSence events. |
syslog |
Designed for processing events from Palo Alto Networks firewalls received via Syslog. |
[OOTB] pfSense w/o hostname |
Custom pfSence event normalizer (invalid Syslog header format). |
syslog |
Designed for processing events from the pfSense firewall with an incorrect Syslog header format. |
[OOTB] PostgreSQL pgAudit syslog |
Events of the pgAudit audit plugin |
syslog |
Designed for processing events of the pgAudit audit plugin for PostgreSQL received via Syslog. |
[OOTB] PTsecurity NAD |
Network Anomaly Detection by Positive Technologies. |
syslog |
Designed for processing events from PT Network Attack Discovery (NAD). |
[OOTB] PTsecurity Sandbox |
Positive Technologies Sandbox events |
regexp |
Designed for processing events of the PT Sandbox system. |
[OOTB] PTsecurity WAF |
Web Application Firewall by Positive Technologies. |
syslog |
Designed for processing events from the PTsecurity (Web Application Firewall) system. |
[OOTB] Radware DefensePro AntiDDoS |
Radware DefensePro AntiDDoS events |
syslog |
Designed for processing events from the DDOS Mitigator protection system received via Syslog. |
[OOTB] S-Terra |
S-Terra Gate events. |
syslog |
Designed for processing events from S-Terra VPN Gate devices. |
[OOTB] SNMP. Windows {XP/2003} |
Windows XP logs |
json |
Designed for processing events received from workstations and servers running Microsoft Windows XP, Microsoft Windows 2003 operating systems using the SNMP protocol. |
[OOTB] SecretNet SQL |
Secret Net 7. |
sql |
Designed for processing events received by the connector from the database of the SecretNet system. |
[OOTB] SonicWall TZ Firewall |
Events of TZ series firewalls |
syslog |
Designed for processing events received via Syslog from the SonicWall TZ firewall. |
[OOTB] Sophos XG |
Sophos XG firewall events |
regexp |
Designed for processing events from the Sophos XG firewall. |
[OOTB] Squid access Syslog |
Squid proxy server access.log logs. |
syslog |
Designed for processing events of the Squid proxy server received via the Syslog protocol. |
[OOTB] Squid access.log file |
Squid proxy server access.log logs. |
regexp |
Designed for processing Squid log events from the Squid proxy server. |
[OOTB] Syslog header |
Events in Syslog format from arbitrary sources. The syslog header is parsed. |
syslog |
Designed for processing events received via Syslog. The normalizer parses the header of the Syslog event, the message field of the event is not parsed. If necessary, you can parse the message field using other normalizers. |
[OOTB] Syslog-CEF |
Events in CEF format from arbitrary sources, with Syslog header. |
syslog |
Designed for parsing events from arbitrary sources in the CEF format with a Syslog header. Supports reading files from the following sources: InfoTeCS IDS, IT-Bastion—SKDPU NT Monitoring and Analytics, UserGate, SearchInform KIB, Forcepoint Email Security 8.5, ViPNet TIAS.
|
[OOTB] Unbound Syslog |
Logs of the Unbound DNS server. |
syslog |
Designed for processing events from the Unbound DNS server. |
[OOTB] ViPNet Coordinator Syslog |
ViPNet Coordinator logs |
syslog |
Designed for processing events from the ViPNet Coordinator system. |
[OOTB] VMware Horizon - Syslog |
VMware Horizon logs. Receipt via Syslog. |
syslog |
Designed for processing events received from the VMware Horizon system via Syslog. |
[OOTB] Windows Basic |
Basic set of Windows Security events. |
xml |
Designed for processing event logs of Microsoft Windows operating systems, basic set of events. |
[OOTB] Windows Extended v.0.3 |
Extended set of Windows events. |
xml |
Designed for processing event logs of Microsoft Windows operating systems, extended set of events. Supports events from terminal servers. The parsing method is XML file processing. This normalizer will be removed from the OOTB set after the next release. If you are using this normalizer, you must migrate to the [OOTB] Windows Extended v 1.0 normalizer. |
[OOTB] Windows Extended v 1.0 |
Optimized with fewer extra normalizers. More complete data in group management events. |
xml |
The normalizer is designed for processing events of the Microsoft Windows operating system. |
[OOTB][regexp] Continent IPS/IDS & TLS |
Continent intrusion detection system, TSL. |
regexp |
Designed for processing events of Continent IPS/IDS devices in a file. |
[OOTB] Broadcom Symantec Endpoint Protection |
Symantec Endpoint Protection events |
regexp |
Designed for processing events from the Symantec Endpoint Protection system. |
[OOTB] Confident Dallas Lock |
Confident Dallas Lock events |
regexp |
Designed for processing events from the Dallas Lock information protection system. |
[OOTB] WatchGuard Firebox |
Firebox firewall events |
syslog |
Designed for processing WatchGuard Firebox events received via Syslog. |