You configure your third-party devices, systems, and applications to transmit generated log data to your USM Anywhere Sensor, to a location that the sensor can query, or directly to USM Anywhere from a registered AlienVault Agent. Your data sources can produce the data using various formats that are compatible with USM Anywhere data pluginsPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities.:
Data Collection by Sensor Apps
When log data is transmitted directly to a USM Anywhere Sensor, a Sensor App collects this data according to the identified log message protocol.
|Sensor App||Functional support|
Passively collects syslog data transmitted to the USM Anywhere Sensor. For more information, see The Syslog Server Sensor App.
The Syslog Server app is supported on all USM Anywhere Sensor types.
Passively collects GELF data transmitted to the USM Anywhere Sensor. For more information, see The Graylog (GELF) Sensor App.
The Graylog app is supported on all USM Anywhere Sensor types.
Amazon Web Services
Collects data from AWS logging services and performs queries to collect log data stored in an S3 repository within your AWS environment. For more information about built-in support for AWS logs, see AWS Log Discovery and Collection in USM Anywhere.
The AWS app is supported only on the AWS Sensor.
Collects data from Azure logging services configured within your Azure environment. For more information about built-in support for Azure logs, see Azure Log Discovery and Collection in USM Anywhere.
The Azure app is supported only on the Azure Sensor.
USM Anywhere provides the AlienVault Agent, which you can install on your endpoints to centralize the collection and analysis of event logs from remote servers and desktops, making it easier to track the health and security of these systems. It also supports host-based log collection through manual installation and configuration of NXLog and osquery.
Note: With the addition of the AlienVault Agent, USM Anywhere provides an easier implementation of HIDS, FIM, and endpoint log collection across your Windows and Linux environments in the cloud and on premises. If you already have NXLog or osquery installed and configured on your endpoints to forward events to a USM Anywhere Sensor, these methods are still supported and you do not need to replace them.
Refer to the following topics for detailed information about sending log data from your host systems:
- Log collection from a Linux System — Collecting Linux System Logs
- Log collection from a Windows System — Collecting Windows System Logs
Log Collection by AlienApps
Many AlienApps use API and system integrations to actively collect data directly from a third-party device or service.
- The AlienApp™ for Forensics and Response
- The AlienApp™ for Cloudflare
- The AlienApp™ for G Suite
- The AlienApp™ for Office 365
- The AlienApp™ for Sophos Central
- The AlienApp™ for Okta
Log Collection from Various Third-Party Devices and Systems
To support the wide array of third-party devices and systems you may have in your environments, AT&T Cybersecurity provides integration information to assist you with configuration of the most commonly-used external data sources to send log data to a USM Anywhere Sensor, how to select and enable the plugin in USM Anywhere, the event fields generated by the plugin, and where to obtain additional configuration and troubleshooting information from the data source vendor's web site.
To access this detailed integration information,
Plugin Syslog Parsing
It is important for the date and time listed in the header of the syslog files to be formatted correctly from the plugin for USM Anywhere to properly parse the information when generating event details. Some formats for date and time, such as the ISO format, may create conflicts in the way event information is parsed. Instead, it is recommended you follow the practice of using the ITEF BSD specifications for syslog formatting, resulting in the following timestamp format in the syslog headers:
Mmm dd hh:mm:ss. Per the BSD protocol, the header should contain a TIMESTAMP field and HOSTNAME field, and the MSG portion of the log should contain a TAG field and a CONTENT field.
Note that the use of an intermediary log collection agent can cause parsing errors by adding extra, unformatted context to the syslog messages.