AlienVault® USM Anywhere™

The Syslog Server Sensor App

Role Availability Read-Only Analyst Manager

Syslog is a message logging standard supported by most devices and operating systems. RFC 5424 defines the syslog message header format and rules for each data element within each message header. However, there can be a great deal of variance in the message content received from your data sources. Syslog is the most common method for sending event log data to USM Anywhere.

All of the USM Anywhere Sensors use the Syslog Server app to collect syslog event log data for processing. The USM Anywhere Sensor passively listens to the syslog ports.

Ports the Syslog Server app requires for specific protocols
Protocol Port Syslog support



USM Anywhere collects data through syslog over UDP on port 514 by default.



USM Anywhere collects data through syslog over TCP on port 601 by default.



USM Anywhere collects Transport Layer Security (TLS)-encrypted data through syslog over TCP on port 6514 by default.

Important: USM Anywhere requires the use of the TLS 1.2 protocol to ensure security.

Important: Make sure that the required ports are open for these protocols within your security groups and firewalls.

Configure Syslog on Your Data Sources

For each of the data sources in your network where you want to collect syslog data, you must forward the logs to a USM Anywhere Sensor. Use the following configuration information to use rsyslogOpen source software utility implementing the syslog protocol to forward log messages to/from UNIX and Linux-based computers operating in a TCP/IP network environment. to collect and send syslog to your USM Anywhere Sensor. Many third-party systems and devices support other methods for sending syslog messages. See Supported USM Anywhere Plugins for Common Data Sources for specific information about configuring common systems or devices.

Note: The *.* configuration allows you to forward all syslog messages. However, AT&T Cybersecurity strongly recommends that you use any of the rsyslog filtering capabilities to forward only the logs that need to be monitored by USM Anywhere.

Standard Syslog over UDP

To configure syslog over UDP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the UDP port (the default is 514).

*.* @<SENSOR_IP>:514 # send (all) messages - Forward to the USM Anywhere Sensor IP address

Where <SENSOR_IP> is the IP address for the USM Anywhere Sensor.

Standard Syslog over TCP

To configure syslog over TCP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the TCP port (default 601).

*.* @@<SENSOR_IP>:601 # send (all) messages - Forward to the USM Anywhere Sensor IP address

where <SENSOR_IP> is the IP address for the USM Anywhere Sensor.

TLS-Encrypted Syslog over TCP

If you want to enable encrypted syslog communications between a host and the USM Anywhere Sensor to comply with your organization's security policies that require encryption of log data in transit, you can configure syslog TLS/TCP forwarding. TLS uses certificates to authenticate and encrypt the communication between a client (the data source) and server (the USM Anywhere Sensor).

To configure Syslog for TLS over TCP, you need to configure rsyslog on your data source to use TLS encryption and forward the logs to your USM Anywhere Sensor over the default port (6514). The following configuration information is tested on Ubuntu 16.04 using rsyslog 8. For Red Hat Linux distributions, use rpm or yum in place of apt-get. For other systems supporting rsyslog TLS configuration, you can extrapolate from this information.

When redeploying a sensor with TLS syslog encryption enabled, the new sensor will not maintain your previous encryption configuration. You must configure your TLS syslog encryption again for the redeployed sensor:
  • If you have used the default sensor certificates, the redeployed sensor will have generated new certifications. Be sure to use the new sensor certifications when reconfiguring your TLS syslog encryption.
  • If you have used your own TLS certificates you must reupload your PEM files again, but they can be the same PEM files you used originally.

Check the Syslog Collection Status

After you have configured the syslog forwarding policy on the required data sources, you can verify the log forwarding in USM Anywhere. When you select the sensor on the Syslog Server page, the Health column displays for each of the syslog protocols where the sensor has received a packet within the last 10 minutes.

Check the status information to determine if the sensor is currently receiving syslog packets

Scroll down to the Stats section to review more detailed information about the syslog activity on the sensor.

Review the information in the Stats tab to verify syslog packets received by the Sensor

  • Number of Syslog Packets Received: Number of packets received by the sensor since it has been up and running. (Restarting the sensor resets this counter.)
  • Received Syslog from the following IPs: List of IP addresses forwarding logs to the sensor. There is a maximum of 100 IPs, and IPs not sending logs in the last 24 hours are discarded. (Restarting the sensor resets this list.)

Disable Syslog Collection on a USM Anywhere Sensor

The Syslog Server app is enabled for log collection by default for each deployed USM Anywhere Sensor. If you want to disable the app for a particular Sensor, follow this procedure.

To disable syslog data collection on a sensor

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the Sensor Apps tab.
  3. In the left navigation menu, click Syslog Server.
  4. Select the sensor where you want to disable the app.

    Select a deployed Sensor

  5. Click Disable.