Documentation Center
AlienVault® USM Anywhere™

HP Storage Area Network (SAN) Switch

When you configure HP Storage Area Network (SAN) Switch integration to send log data to USM Anywhere, you can use the HP SAN Switch plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Hewlett-Packard
Device type Switch
Connection type syslog
Vendor link For details, see Appendix A; Using Syslog in the vendor documentation for installation and configuration.

Integrating the HP Storage Area Network Switch

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

We provide the procedure for configuring HP Storage Area Network Switch for syslog communication with USM Anywhere, using either the HP SAN Network Switch Operating System CLI or the HP SAN Switch web management user interface.

HP SAN Network Switch Operating System CLI

To configure the HP SAN Network Switch to send log data to USM Anywhere

  1. Log into the HP SAN Network Switch.
  2. Enter global configuration mode:

    config

  3. Enter:

    logging <IP_Address_USM_Anywhere>

    If there are no SyslogD servers configured, logging enters a SyslogD server IP address and automatically enables syslog logging to the server (USM Anywhere).

    If at least one SyslogD server is already configured and syslog logging has been disabled, you can still use logging<IP_address> to add another SyslogD server.

    Note: Syslog logins nevertheless remain disabled until you re-enable them with the debug destination logging command.

  4. To exit config mode, press CTRL+Z.
  5. Save the current configuration to the startup configuration of your HP SAN Switch.

    write mem

HP SAN Switch Web Management User Inteface

To configure the HP SAN Network Switch to send log data to USM Anywhere

  1. Log onto the device with your username and password.

  2. From the System configuration sheet, select Management.

  3. From the Management panel, select the System Log link to display its configuration form, and apply the following settings.

    Field Required Value What It Does
    Logging Enable Enables syslog.
    Buffer Size 1 – 100

    (Optional) changes the number of entries the local syslog buffer can hold.

    Default is 50.

    Facility Messages Selects the Messages facility.
    Accept Severity Select any value. Selects the message level that you want it to log.
  4. To save your changes the running-config file, click Apply.
  5. Click Save, and select Yes, when prompted, to save the configuration change to the startup-config file on the flash memory of the device.
  6. Display the Log Server panel by clicking the Show Log Server link, under the Apply and Reset buttons .

  7. Display the System Log Server panel by clicking the Add Log Server link.
  8. In the Server IP Address field, type the IP address of the USM Anywhere Sensor.
  9. In the Server Udp Port field, type 514.
  10. Click Add.
  11. At the bottom of the dialog box, click Save
  12. When prompted, click Yes to save the configuration change to the startup-config file on the device's flash memory.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • customfield_0

  • customfield_1

  • customfield_2

  • customfield_3

  • customfield_4

  • customfield_5

  • customfield_6

  • customheader_0

  • customheader_1

  • customheader_2

  • customheader_3

  • customheader_4

  • customheader_5

  • customheader_6

  • destination_address

  • event_description

  • event_name

  • event_severity

  • rep_device_hostname

  • rep_device_rule_id

  • source_address

  • source_mac

  • source_username

  • timestamp_occured

  • user_role

Troubleshooting

For troubleshooting, refer to the vendor documentation:

Hewlett Packard Enterprise Support Center