Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Stormshield Alarm Logs | ✅ | ✅ | stormshield_alarm_logs | Key-value | S3 | ||
Stormshield System Logs | ✅ | ✅ | stormshield_system_logs | Key-value | S3 | ||
Stormshield Plugin Logs | ✅ | ✅ | stormshield_plugin_logs | Key-value | S3 | ||
Stormshield Server Logs | ✅ | ✅ | stormshield_connection_logs | Key-value | S3 | ||
Stormshield connection Logs | ✅ | ✅ | stormshield_server_logs | Key-value | S3 |
Overview
Stormshield offers a robust suite of cybersecurity solutions focused on network, endpoint, and data protection. Its flagship products include Stormshield Network Security (SNS), a range of next-generation firewalls with advanced threat prevention and certified compliance; Stormshield Endpoint Security (SES), which provides proactive, behavior-based protection against ransomware, zero-day threats, and insider attacks; and Stormshield Data Security (SDS), a powerful encryption solution for securing sensitive data across devices, cloud environments, and communications. These products work together to deliver an integrated, multilayered defense tailored for critical infrastructures, government agencies, and regulated industries.
Supported data types
Stormshield Alarm Logs
Overview
Table name: stormshield_alarm_logs
Stormshield Alarm Logs provide detailed records of security events detected by the system, such as intrusion attempts, policy violations, or abnormal traffic. These logs are essential for identifying and responding to threats in real time, offering clear visibility into potential risks and security breaches.
Send data to Hunters
Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.
To connect Stormshield logs:
Set up log routing via Syslog:
In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
Set log levels as needed (Alarm, Connection, System, etc.).
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag stormshield.logs </source> <filter stormshield.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match stormshield.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/stormshield/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:03"""" pri=4 confid=01 srcif=""""Ethernet1"""" srcifname=""""lan"""" ipproto=tcp dstif=""""Ethernet0"""" dstifname=""""wan"""" proto=http src=10.218.11.76 srcport=62065 srcportname=ad2008-dyn_tcp srcname=H-ULVRS003 srcmac=00:09:0f:09:00:08 dst=95.100.133.156 dstport=80 dstportname=http dstname=a767.dspw65.akamai.net dstcontinent=""""eu"""" dstcountry=""""fr"""" ipv=4 action=block msg=""""Sonde de port"""" class=protocol classification=0 alarmid=63 target=dst logtype=""""alarm""""""";;
Stormshield System Logs
Overview
Table name: stormshield_system_logs
Stormshield System Logs capture the internal operations of the Stormshield appliance, including process activity, system errors, service restarts, and hardware status. These logs are crucial for system monitoring, troubleshooting, and ensuring the overall health and stability of the platform.
Send data to Hunters
Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.
To connect Stormshield logs:
Set up log routing via Syslog:
In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
Set log levels as needed (Alarm, Connection, System, etc.).
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag stormshield.logs </source> <filter stormshield.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match stormshield.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/stormshield/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:04"""" pri=5 msg=""""Démarrage d'une intervention administrative (185.56.204.137)"""" user=""""smc"""" service=sysevent alarmid=104 logtype=""""system""""""";;
Stormshield Plugin Logs
Overview
Table name: stormshield_plugin_logs
Stormshield Plugin Logs contain diagnostic and operational information related to additional modules or extensions integrated into the Stormshield environment. These logs help administrators understand the behavior and performance of plugins, and are useful during debugging or when fine-tuning features.
Send data to Hunters
Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.
To connect Stormshield logs:
Set up log routing via Syslog:
In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
Set log levels as needed (Alarm, Connection, System, etc.).
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag stormshield.logs </source> <filter stormshield.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match stormshield.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/stormshield/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 12:40:45"""" pri=5 confid=01 slotlevel=1 ruleid=12 rulename=""""89e0fb14"""" srcif=""""Ethernet2"""" srcifname=""""process"""" ipproto=tcp dstif=""""Ethernet4"""" dstifname=""""presseballe"""" proto=s7 src=192.168.10.250 srcport=60025 srcportname=ad2008-dyn_tcp srcname=srv_1 srcmac=30:d0:42:eb:1e:ac dst=192.168.2.30 dstport=102 dstportname=iso-tsap dstname=srv_presse1 modsrc=192.168.2.254 modsrcport=20002 origdst=192.168.2.30 origdstport=102 ipv=4 sent=24 rcvd=355 duration=0.00 action=pass op=4 error_class=0 error_code=0 logtype=""""plugin""""""";;
Stormshield Server Logs
Overview
Table name: stormshield_server_logs
Stormshield Server Logs refer to logs generated by backend services supporting the Stormshield infrastructure. These may include authentication servers, configuration services, or management consoles, and they are key for tracking access, configuration changes, and inter-component communication.
Send data to Hunters
Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.
To connect Stormshield logs:
Set up log routing via Syslog:
In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
Set log levels as needed (Alarm, Connection, System, etc.).
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag stormshield.logs </source> <filter stormshield.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match stormshield.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/stormshield/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd serverd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:41:04"""" error=1 user=""""smc"""" address=185.56.204.137 sessionid=256392 msg=""""QUIT"""" logtype=""""server""""""";;
Stormshield connection Logs
Overview
Table name: stormshield_connection_logs
Stormshield Connection Logs track all incoming and outgoing network sessions passing through the firewall, logging IP addresses, ports, protocols, and session states. These logs are fundamental for traffic analysis, auditing, and detecting suspicious or unauthorized connections.
Send data to Hunters
Hunters supports the collection of Stormshield logs via an intermediary S3 bucket.
To connect Stormshield logs:
Set up log routing via Syslog:
In the Stormshield Web Admin interface go to Configuration > Logs > External Logging.
Add a Syslog destination pointing to your Fluentd server (typically port 514 or 5140 UDP/TCP).
Choose the log format (RFC 3164 or RFC 5424 is fine — Fluentd supports both).
Set log levels as needed (Alarm, Connection, System, etc.).
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag stormshield.logs </source> <filter stormshield.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match stormshield.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/stormshield/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
"2025-02-07T14:41:04.000Z,""jgfhgd"",""jgfhgd asqd �id=firewall time=""""2025-02-07 15:41:04"""" fw=""""jgfhgd"""" tz=+0100 startime=""""2025-02-07 15:39:02"""" pri=5 confid=00 slotlevel=1 ruleid=3 rulename=""""606fddbf"""" srcif=""""ipsec"""" srcifname=""""ipsec"""" ipproto=udp dstif=""""vlan0"""" dstifname=""""admin_switch"""" proto=snmp src=10.218.62.18 srcport=38257 srcportname=ephemeral_fw_udp srcname=RVFRINF08708 dst=10.0.1.3 dstport=161 dstportname=snmp dstname=RVFRSW01002 modsrc=10.218.62.18 modsrcport=38257 origdst=10.0.1.3 origdstport=161 ipv=4 sent=337 rcvd=391 duration=0.06 action=pass logtype=""""connection""""""";;