USM Anywhere receives syslog An industry standard message logging system that is used on many devices and platforms. log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an BlueApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the BlueApp with an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere. There are two methods for creating these associations:

• By assigning one or more assets to the BlueApp (this document).
• By adding one or more BlueApps to the asset. See Adding BlueApps to an Asset for details.

You can use a combination of these methods to ensure that USM Anywhere can identify the correct BlueApps for the log data it receives from an asset.

To assign an asset to an BlueApp

1. Go to Data Sources > BlueApps > Available Apps.
2. Look for the BlueApp you want to use and click the tile.
3. After the page finishes reloading, click Assign Asset.
4. Select the asset you want to assign. Click Create Asset to add an asset if it is not yet in USM Anywhere.
5. Click Assign.

6. When applicable, select the collection method you want to use.

   

7. When applicable, select the format. See BlueApps Supported Log Formats for more information.

   

8. Click the icon to confirm.
9. Click Done.

To remove an asset from an BlueApp

1. Go to Data Sources > BlueApps > Available Apps.
2. Look for the BlueApp from which you want to remove the asset and click the tile.

3. Click the icon.

   

4. Click Accept to confirm.

To modify an assigned format

1. Go to Data Sources > BlueApps > Available Apps.
2. Look for the BlueApp you want to modify and click the tile.

3. Click the icon of the asset.

   

4. Select the new format you want to use.
5. Click the icon to confirm.
6. Click Done.

BlueApps Supported Log Formats

Some BlueApps in USM Anywhere support multiple formats, giving you the option to select the format suitable to your environment. The following table lists the log formats and provides a sample log line for each one.

Log Formats Supported by BlueApps

Format	Description	Sample Log
CEF	ArcSight Common Event Format	CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension] CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10| src=10.0.0.1 dst=2.1.2.2 spt=1232
CLF	NCSA Common Log Format	125.0.0.1 user - identifier sjones [10/Oct/2011:13:55:36 -0700] "GET /examp_alt.png HTTP/1.0" 200 10801
CSV	Comma-Separated Values	2,398778306028,eni-abc,1.1.1.1,2.2.2.2,52392,443,6,11,1935,1461792267,1461792322,ACCEPT,OK
GELF	Graylog Extended Log Format	{ "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }
JSON	JavaScript Object Notation	{"DateTime":1438189080000,"UsersName":"Dev","UsersEmail":"dev@blah.com","IPAddress":"1.1.1.1","Action":Test"}
Key‑Value	A key and value pair	id=”0001” severity=”info” name=”http access” action=”pass” method=”GET” srcip=”1.1.1.1” dstip=“2.2.2.2” user=“myuser”
LEEF	Log Event Extended Format	LEEF:Version|Device Vendor|Device Product|Device Version|Event ID|Name| Severity|key=value<tab>key=value<tab>key=value<tab>key=value LEEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10| src=10.0.0.1 dst=2.1.2.2 spt=1232
RegEx	Regular Expression	sshd[1097]: Failed password for invalid user ben from 1.1.1.1 port 43312 ssh2
Split	The fields are separated using a character other than comma	200|939|3934|1.1.1.1|-|1.1.1.1|"'Technology & Telecommunication’"|"test\test"|false|allowed|2.2.2.2
W3C	Extended Log File Format from W3C	#Fields: time cs-method cs-uri   00:34:23 GET /foo/bar.html
XML	Extensible Markup Language	<Root><EventID>90060</EventID><Priority>4</Priority><Message>Application - End</ Message><Category>AUDIT</Category></Root>