Configuring a Custom Log Parser for Use with Your USM Anywhere AlienApp

In addition to the various AlienApps offered by USM Anywhere, AT&T Cybersecurity gives you the option of configuring your own custom log parser to better monitor activity in your environment according to your needs.

The custom log parser operates by taking an event of your choosing and using the logs that generated it to model how to parse similar logs in the future. The configuration decisions you make when creating your new generic log collector will determine precisely how this parser will interpret such logs in the future. This enables you to create a specialized log parser to process any of the events your USM Anywhere doesn't otherwise know how to parse, which USM Anywhere labels as "generic events".

Important: Custom AlienApps connect using dynamic IPs. Please allow access to the data source on any IP.

Note: If you are looking for a more robust integration than a custom log parser offers, you can create a fully customized AlienApp to collect and analyze logs from a third-party application. See Configuring a Custom AlienApp for detailed instructions on how to create an AlienApp to suit your environment's needs.

To configure a custom log collector

  1. Within your USM Anywhere, navigate to the generic event for which you want to create a log parser.

  2. Click the event to open the Event Details.
  3. Click Custom App to begin creating your new custom log parser.
    This opens the Custom AlienApp Wizard at the Mapping stage.

    4. Important: Custom AlienApps only support JSON, XML, and CEF log formats. The entire raw log must be in a single format and cannot contain a syslog header.

  4. USM Anywhere uses the configuration details from the previous two steps to connect with your third party and extract data fields found in the logs they send. Use this page to configure the mapping details between the third-party application's data fields and fields in USM Anywhere by dragging and dropping from the detected fields to their matching fields in USM Anywhere.
    Configure which USM Anywhere data fields map to which fields discovered in your source API.

    • Found Parameters: Fields on the left are extracted from logs fetched from your third-party application.

    • USM Anywhere App Fields: Fields on the right are the standard USM Anywhere data labels. Users can map multiple found parameters to the same USM Anywhere app field.

      • Important: See Event Keys descriptions to help you match extracted fields with standard USM Anywhere data fields.

    Click Next to continue.

  5. Select which log fields to include in the Event Details for events your new log parser will generate.
    Choose which of the data fields you previously mapped will appear in the Event Details for events your new app will generate.

    Click Save & Next to continue.

  6. Click Data Source Details to review your custom log parser's configuration.
    Use this preview screen to check the details of your new custom AlienApp, including expanding the data source details.

    You can use the Back button to navigate to any previous page and make changes.

  7. Once you have finalized your log parser's configuration, click Save & Close to finish creating your new log parser.

Important: You must assign your log parser to one or more assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. before it will begin collecting logs.

After you have finalized and created your custom log parser, you can continue to make changes or refine its configuration by returning to the Custom Apps page and opening your log parser for editing.

To assign an asset to a custom log parser

  1. Navigate to Data Sources > Custom Apps > My Custom Apps.

  2. From the list of custom AlienApps and log parsers, click on the log parser you wish to assign an asset to.

  3. Click Add Assets to open a search field.

    You must assign a log collector to one or more assets before they will begin collecting logs.

  4. Search for an asset by entering all or part of the asset name into the search field.
    Your search results will appear in a drop-down list.

  5. Select the asset you wish to assign to this log parser, and then click Assign.

  6. (Optional.) Continue using the search field to assign as many assets as you wish.