AlienVault® USM Anywhere™

Jenkins

When you configure Jenkins to send log data to USM Anywhere, you can use the Jenkins plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Jenkins
Device Type Server
Connection Type Syslog

Integrating Jenkins

Before you configure the integration, you must have the IP address of the USM Anywhere Sensor.

To configure Jenkins to send log data to USM Anywhere

  1. Configure the Jenkins Syslog Logger Plugin. See the Jenkins documentation for instructions.

    1. In the Syslog Server Hostname field, enter the IP address of the USM Anywhere Sensor.
    2. In the Syslog Server Port field, select the port number depending on the transport protocol you want to use.

      USM Anywhere listens for syslog at UDP port 514, TCP port 601, or TLS/TCP port 6514.

      If using TLS with TCP, you need to download the certificate from USM Anywhere or upload your own certificate to USM Anywhere. See Configure Syslog on Your Data Sources for instructions.

    3. In the Syslog Logging Handler Filter Level field, select the logging level you want to use.

When assisting customers, AT&T Cybersecurity Technical Support noticed that the syslog message forwarded from Jenkins 2.177 appear in multiple lines. For example:

Jun 25 07:35:10 DEVICE-JENKINS jenkins: Jun 25, 2019 3:35:10 AM hudson.model.AsyncPeriodicWork$1 run

INFO: Started Fingerprint cleanup

However, the USM Anywhere Jenkins plugin only processes logs in the single-line format, causing the events to appear with no names. To work around this issue, you can use the following procedure to direct Jenkins to generate logs in single-line format instead.

To configure Jenkins to generate syslog in single-line format

  1. Create a file named logging.properties and paste the following content inside:

    .level=ALL

    handlers=java.util.logging.ConsoleHandler

    java.util.logging.SimpleFormatter.format=[%1$tF %1$tT.%1$tL][%4$s][%2$s] %5$s %6$s%n

    java.util.logging.ConsoleHandler.level=INFO java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter

  2. Add the file path to your Java arguments. For example:

    JAVA_ARGS="‑Djava.awt.headless=true ‑Djava.util.logging.config.file=/var/lib/jenkins/logging.properties"

    Note: On most Linux distributions, you can find JAVA_ARGS in /etc/default/jenkins. You need root access to edit the file.

  3. Restart Jenkins.

    Your log should appear in single-line format, similar to this:

    Jul 12 15:04:38 DEVICE-JENKINS jenkins: [2019-07-12 11:04:38.649][INFO][blah.model.Run execute] Test-Release #203 main build action completed: SUCCESS

Plugin Enablement

The Jenkins plugin automatically processes all messages when the syslog tags contain jenkins.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customfield_1
  • customheader_0
  • customheader_1
  • event_name
  • source_process
  • source_username

Additional Resources and Troubleshooting

Jenkins custom log format broken by 2.177