Documentation Center
AlienVault® USM Anywhere™

Cisco ACE

When you configure Cisco ACE integration to send log data to USM Anywhere, you can use the Cisco ACE plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Cisco
Device type Application Control Engine
Connection type syslog
Vendor link http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/
ace/vA4_2_0/configuration/system/message/guide/sysmsggd/config.html

Cisco ACE Integration

Before you configure the integration, you must have the following

  • IP address of the USM Anywhere Sensor
  • administrator privilege for Cisco ACE
  • connection access to USM Anywhere through syslog from Cisco ASA

To configure Cisco ACE to send log data to USM Anywhere

  1. Enable system message logging

    host1/Admin# changeto C1

    host1/C1#

    Note: If you operate in multiple contexts, take care to observe the displayed prompt to verify that you are currently in the desired context.

  2. Enter configuration mode

    host1/Admin# config

    Enter configuration commands, one per line. End with CNTL/Z

    host1/Admin(config)#

  3. Enable logging to one or more output locations

    host1/Admin(config)# logging enable

  4. Send syslog messages to USM Anywhere

    logging host ip_address [tcp | udp [/port#]} | [default-udp] | [format emblem]]]

    For UDP, enter host1/Admin(config)# logging host <usm_anywhere_ip> udp514 format emblem

    For TCP, enter host1/Admin(config)# logging host <usm_anywhere_ip> tcp601 format emblem

    Note: Format Emblem enables EMBLEM format logging for syslog.

  5. Save your changes to the Startup configuration

    host1/Admin(config)# do copy running-config startup-config

  6. Exit configuration mode

    host1/Admin(config)# exit

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_out
  • customfield_0
  • destination_address
  • destination_port
  • duration
  • event_action
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • gateway
  • policy
  • source_address
  • source_port
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide