Documentation Center
AlienVault® USM Anywhere™

The Syslog Server Sensor App

  Role Availability   Read-Only   Analyst   Manager

Syslog is a message logging standard supported by most devices and operating systems. RFC 5424 defines the syslog message header format and rules for each data element within each message header. However, there can be a great deal of variance in the message content received from your data sources. Syslog is the most common method for sending event log data to USM Anywhere.

All of the USM Anywhere Sensors use the Syslog Server app to collect syslog event log data for processing. The USM Anywhere Sensor passively listens to the syslog ports.

Protocol Port Syslog support

UDP

514

USM Anywhere collects data through syslog over UDP on port 514 by default.

TCP

601

USM Anywhere collects data through syslog over TCP on port 601 by default.

TLS/TCP

6514

USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default.

Important: Make sure that the required ports are open for these protocols within your security groups/firewalls.

Configure Syslog on Your Data Sources

For each of the data sources in your network where you want to collect syslog data, you must forward the logs to a USM Anywhere Sensor. Use the following configuration information to use rsyslogOpen source software utility implementing the syslog protocol to forward log messages to/from UNIX and Linux-based computers operating in a TCP/IP network environment. to collect and send syslog to your USM Anywhere Sensor. Many third-party systems and devices support other methods for sending syslog messages. Refer to Supported USM Anywhere Plugins for Common Data Sources for specific information about configuring common systems or devices.

Note: The *.* configuration allows you to forward all syslog messages. However, we strongly recommend that you use any of the rsyslog filtering capabilities to forward only the logs that need to be monitored by USM Anywhere.

Standard Syslog over UDP

To configure syslog over UDP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the UDP port (default 514).

*.* @<SENSOR_IP>:514 # send (all) messages - Forward to the USM Anywhere Sensor IP address

Where <SENSOR_IP> is the IP address for the USM Anywhere Sensor.

Standard Syslog over TCP

To configure syslog over TCP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the TCP port (default 601).

*.* @@<SENSOR_IP>:601 # send (all) messages - Forward to the USM Anywhere Sensor IP address

where <SENSOR_IP> is the IP address for the USM Anywhere Sensor.

TLS-Encrypted Syslog over TCP

If you want to enable encrypted syslog communications between a host and the USM Anywhere Sensor to comply with your organization's security policies that require encryption of log data in transit, you can configure syslog TLS/TCP forwarding. TLS uses certificates to authenticate and encrypt the communication between a client (the data source) and server (the USM Anywhere Sensor).

To configure Syslog for TLS over TCP, you need to configure rsyslog on your data source to use TLS encryption and forward the logs to your USM Anywhere Sensor over the default port (6514). The following configuration information is tested on Ubuntu 16.04 using rsyslog 8. For Red Hat Linux distributions, use rpm or yum in place of apt-get. For other systems supporting rsyslog TLS configuration, you can extrapolate from this information.

Check the Syslog Collection Status

After you have configured the syslog forwarding policy on the required data sources, you can verify the log forwarding in USM Anywhere. When you select the Sensor on the Syslog Server page, the HEALTH column displays the Success Health Check icon icon for each of the syslog protocols where the Sensor has received a packet within the last 10 minutes.

Check the status information to determine if the Sensor is currently receiving syslog packets

Scroll down to the STATS section to review more detailed information about the syslog activity on the Sensor.

Review the information in the Stats tab to verify syslog packets received by the Sensor

Number of Syslog Packets Received — Number of packets received by the Sensor since it has been up and running. (Restarting the Sensor will reset this counter.)

Received Syslog from the following IPs — List of IP addresses forwarding logs to the Sensor. There is a maximum of 100 IPs and IPs not sending logs in the last 24 hours are discarded. (Restarting the Sensor will reset this list.)

Disable Syslog Collection on a USM Anywhere Sensor

The Syslog Server app is enabled for log collection by default for each deployed USM Anywhere Sensor. If you want to disable the app for a particular Sensor, follow this procedure.

To disable syslog data collection on a Sensor

  1. In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
  2. Click the Sensor Apps tab.

    Access the Sensor Apps page

  3. In the left navigation, click Syslog Server.
  4. Select the Sensor where you want to disable the app.

    Select a deployed Sensor

  5. Click Disable.