Network traffic and data generated and received by enterprises are sent through various intermediary devices including to and from public networks, such as the Internet. For example, routers, firewalls, intrusion detection devices, load balancers, virtual machine hosts, and other equipment produce and/or handle a significant amount of network traffic.
Network devices communicate information as to what traffic is seen by the network devices and how the network devices handle the traffic. Syslog and related technologies provide an established messaging protocol for communicating the network information that the various devices handle, which is logged for subsequent data analysis. As an example, SIEM (Security Information and Event Management) refers to a technology that includes a number of tools to process such data. Enterprises use SIEM to detect problems in their datacenter and network, particularly those related to potential or actual security breaches. However, there are many thousands of device vendors, and each vendor may send messages that are not necessarily consistent with respect to identifying the vendor or source device.