A USM Anywhere plugin is a software component that provides logic specific to producing normalized event data from the raw log data received from an external data source. The plugin parses the raw data and converts it into common event fields, such as user, date and time, and source or destination IP address, so that USM Anywhere can manage the information as a security event. With a normalized event, USM Anywhere can display information uniformly and correlate events from various individual systems to generate alarmsAlarms provide notification of an event or sequence of events that require attention or investigation..
USM Anywhere provides numerous plugins that translate log data from common devices, operating systems, and applications. When USM Anywhere receives the raw log data, it must identify a plugin to use for normalization. Many data sources produce syslog messages that contain information that can be used to identify the device or application that produced the message. Others data sources produce log data that requires more guidance to identify a match for the data.
In USM Anywhere, many plugins can be identified and matched to the log data automatically because of hints — unique information within a syslog message that identifies the data source sending the logs. These hints allow the syslogAn industry standard message logging system that is used on many devices and platforms. message to be read and the plugin type to be identified when the hints match the criteria set for each plugin type. Therefore, if a plugin accepts hints, USM Anywhere can automatically identify it as a match for a syslog message.
When you review plugin details in USM Anywhere, these plugins are designated with Autodiscovered = Yes.
Not all plugins accept hints, because some syslog messages contain only generic data. For hints to work, syslog messages must contain unique information. For this reason, USM Anywhere can neither automatically identify those plugins nor ready their syslog data. These plugins require a defined match in USM Anywhere by associating the asset with the plugin or by associating the plugin with an asset.
When you review plugin details in USM Anywhere, these plugins are designated with Autodiscovered = No.
With one or more manual plugin associations for an asset, it is possible for the wrong plugin to be invoked for parsing and normalizing a log message. This typically happens if the needed plugin is not included in the list of manually associated plugins.
Important: Assigning a data source to an asset disables the usage of hints and only the assigned data sources are used to parse and normalize a log message. Therefore, if you assign a data source to an asset and that asset produces log messages to be processed by more than one data source, you must manually assign each data source, including the auto-discovered data sources, to the asset.
For detailed instructions about how to associate these plugins with an asset or asset group, see Manual Plugin Management.
Occasionally, a log line does not match either a manually enabled or an auto-discovered plugin. This is typically caused by devices that generate non-standard syslog messages. Because they put non-standard date formats or other information in the syslog HEADER, the USM Anywhere syslog parser is unable to properly extract the tag header. In some cases, you can modify the logging configuration on the device to produce a better result.
For cases where a matching plugin is not identified, USM Anywhere parses it using a generic plugin. This plugin parses the log line using Regular ExpressionsA sequence of characters that define a search pattern. Regex statements are used in plugin configuration files that determine how raw log information for network or device events can be parsed to normalize the data and extract information to populate standard event fields. and advanced text searches, including common log keywords.
After it scans for key phrases, it starts looking for patterns within the log. It typically looks for these patterns:
Where separators can be one of the following:
: = , ; [ ] / \n
If USM Anywhere uses the AlienVault Generic Plugin as a best-effort to parse a log line, it adds a Was Fuzzied = True field to the event within the Events (Activity > Events) page.
USM Anywhere includes the predefined AlienVault Generic Plugin view to provide easy access to these events (Activity > Events: AlienVault Generic Plugin). If the reporting asset is defined in the USM Anywhere asset inventory, you can manually assign a plugin directly from this view.
For more information about the information and tools available in this view, see AlienVault Generic Plugin.