Documentation Center
AlienVault® USM Anywhere™

H3C Switch

When you configure H3C Switch integration to send log data to USM Anywhere, you can use the H3C Switch plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor H3C
Device type Switch
Connection type syslog
Vendor link http://www.h3c.com.hk/Technical_SupportDocuments/Technical_Documents/
Switches/H3C_S12500_Series_Switches/Configuration/Operation_Manual/
H3C_S12500_CG-Release7128-6W710/12/201301/772703_1285_0.htm#_Ref165188668

Integrating H3C Switch

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure H3C Switch to send log data over syslog to USM Anywhere

  1. Enter system view mode:

    system-view

  2. Verify that the information center is enabled. (It is enabled by default.)

    info-center enable

  3. Configure an output rule for the log host:

    info-center source {<module-name>|default} {console|monitor|logbuffer|logfile|loghost} {deny|level <severity>}

  4. (Optional) Specify the source IP address for output logs (by default, the source IP address of output log information is the primary IP address of the matching route's egress interface):

    info-center loghost source <interface-type> <interface-number>

  5. (Optional) Configure the time stamp format:

    info-center timestamp loghost {date|iso|no-year-date|none}

    The default setting is date.

  6. Specify a log host and configure related parameters.

    By default, no log host or related parameters are specified.

    info-center loghost [vpn-instance <vpn-instance-name>] {<IP_address_USM_Anywhere>} [port <port_number>][facility <local-number>]

    Where:

    port_number = 514

    Important: The value of the port-number variable must be the same as the value configured on the log host. Otherwise, the log host can't receive logs.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • customfield_1

  • customheader_1

  • event_description

  • event_name

  • event_outcome

  • event_severity

  • highlight_fields

  • plugin_device

  • plugin_rule

  • source_address

  • transient

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://www.h3c.com.hk/Technical_Support___Documents/Technical_Documents/Switches/H3C_S12500_Series_Switches/Maintenance/Troubleshooting/H3C_S12500_Troubleshooting_Guide-R7128-6W100/