Documentation Center
AlienVault® USM Appliance™

HAProxy

When you configure HAProxy to send log data to USM Appliance, you can use the plugin full name as appeared in product web UI plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor HAProxy
Device Type TCP/HTTP Load Balancer and Proxy Server
Connection Type Syslog
Data Source Name HAProxy
Data Source ID 1884

Integrating HAProxy

Before you configure the HAProxy integration, you must have the IP Address of the USM Appliance Sensor.

To configure HAProxy to send Syslog messages to USM Appliance

HAProxy supports five different log formats, with several fields common among these formats. The HTTP format provides the recommended and most advanced logging features for HTTP proxies, and it provides the same information as the TCP format, along with some additional HTTP-specific field information. To enable the HTTP format option, set "option httplog" as a "frontend" configuration section parameter.

To send logs to USM Appliance, edit the HAProxy server configuration file (/etc/haproxy/haproxy.cfg) to include the following lines:

global

log <<USM-Appliance-Sensor-IP-Address>>:514 <facility>

where <facility> must be one of the 24 standard syslog facilities options:

  • kern
  • user
  • mail
  • daemon
  • auth
  • syslog
  • lpr
  • news
  • uucp
  • cron
  • auth2
  • ftp
  • nap
  • audit
  • alert
  • cron2
  • local0
  • local1
  • local2
  • local3
  • local4
  • local5
  • local6
  • local7

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8

For troubleshooting, refer to the vendor documentation:

https://www.haproxy.com/doc/aloha/7.0/troubleshooting/index.html