Log Collection and Normalization in USM Appliance

Applies to Product: USM Appliance™ AlienVault OSSIM®

The USM Appliance plugins process data collected from different data sources, parse and normalize the data, and save that data as standard format events in the SIEM database. Users can then view and analyze these events in the USM Appliance web UI.

Plugins define

  • how to collect information from an application or device
  • how to normalize the collected information before sending data, in the form of standard format events, to the USM Appliance Server

A plugin is a software component that provides logic specific to extracting data collected from external applications and devices. Plugins are enabled in USM Appliance Sensors, which receive data from remote hosts using the following sources or protocols

  • Syslog
  • Windows Management Instrumentation (WMI)
  • Security Device Event Exchange (SDEE)
  • Database
  • Other protocols

Any system that processes logs requires a parser to read them, and to extract and convert their data into standard event fields. The following illustration shows the way in which a USM Appliance Sensor collects syslog messages from different devices, where enabled plugins can then process and normalize the event data contained in specific log files.

USM Sensor diagram with Syslog plugins

USM Appliance log collection diagram

During data normalization, a plugin evaluates information from each line of a log file and translates it to an event that identifies the event's type and subtype within the USM Appliance taxonomy. (See USM Appliance Event Taxonomy.) Normalization also converts portions of each log line into common data fields such as user, date and time, and source or destination IP address.

Log normalization process diagram

Log normalization process

Normalizing information into standard event data fields lets USM Appliance display information uniformly and also correlate events from various individual systems to generate alarms.