The Graylog (GELF) Sensor App

Role Availability Read-Only Investigator Analyst Manager

The Graylog Extended Log Format (GELF) is a log format designed to overcome many of the limitations of standard syslog An industry standard message logging system that is used on many devices and platforms.. It is a great solution for applications because it provides more robust logging support — larger payloads, compression, and chunking — and developers can leverage libraries and appenders for many programming languages and logging frameworks.

All of the USM Anywhere Sensors use the Graylog (GELF) app, which passively listens to the Graylog UDP port 12201 and collects the GELF log data for processing. To configure your applications to send data to USM Anywhere, you must specify the IP address of your USM Anywhere Sensor and the port number as the Graylog host.

Important: When you configure GELF for your applications, you must use UDP as the transport layer. The Graylog Sensor App does not support TCP/TLS or HTTP transport.

For more information, see the following vendor documentation:

The Graylog app is enabled by default for each deployed USM Anywhere Sensor. If you want to disable the app for a particular Sensor, follow this procedure.

To disable GELF data collection on a Sensor

  1. In USM Anywhere, go to Data Sources > Sensors.
  2. Click the Sensor Apps tab.
  3. In the left navigation menu, click Graylog.
  4. Select the Sensor where you want to enable the app.

    Select a deployed sensor used to enable the AlienApp

  5. Click Disable.