Data Sources and Log Collection

Some data sources, such as those that support the syslog An industry standard message logging system that is used on many devices and platforms. protocol, can send their logs directly to the USM Anywhere Sensor. For other data sources, USM Anywhere retrieves the logs through scheduled log collection jobs, queries through registered LevelBlue Agents, and queries through configured AlienApp integrations. In each of these cases, USM Anywhere uses a BlueApp for normalizing Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the collected data to extract and store information in common data fields that define an event.

USM Anywhere Sensors securely transfer the event data from your network environment to your single-tenant USM Anywhere instance for centralized collection, security analysis, threat detection, and compliance-ready log management. Installed LevelBlue Agents communicate over an encrypted Cryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere.

You configure your third-party devices, systems, and applications to transmit generated log data to your USM Anywhere Sensor, to a location that the sensor can query, or directly to USM Anywhere from a registered LevelBlue Agent. Your data sources can produce the data using various formats that are compatible with BlueApps, see BlueApps Supported Log Formats for more information.

Data Collection by Sensor Apps

When log data is transmitted directly to a USM Anywhere Sensor, a Sensor App collects this data according to the identified log message protocol. The following table shows the data collection by sensor apps.

Data Collection by Sensor Apps
Sensor App Functional support

Syslog Server

Passively collects syslog data transmitted to the USM Anywhere Sensor. For more information, see The Syslog Server Sensor App.

The Syslog Server app is supported on all USM Anywhere Sensor types.

Graylog (GELF)

Passively collects GELF data transmitted to the USM Anywhere Sensor. For more information, see The Graylog (GELF) Sensor App.

The Graylog app is supported on all USM Anywhere Sensor types.

Amazon Web Services

Collects data from AWS logging services and performs queries to collect log data stored in an S3 repository within your AWS environment. For more information about built-in support for AWS logs, see AWS Log Discovery and Collection in USM Anywhere.

The AWS app is supported only on the AWS Sensor.


Collects data from Azure logging services configured within your Azure environment. For more information about built-in support for Azure logs, see Azure Log Discovery and Collection in USM Anywhere.

The Azure app is supported only on the Azure Sensor.

Host-Based Log Collection

USM Anywhere provides the LevelBlue Agent, which you can install on your endpoints to centralize the collection and analysis of event logs from remote servers and desktops, making it easier to track the health and security of these systems. It also supports host-based log collection through manual installation and configuration of NXLog and osquery.

Note: With the addition of the LevelBlue Agent, USM Anywhere provides an easier implementation of HIDS, FIM, and endpoint log collection across your Windows and Linux environments in the cloud and on premises. If you already have NXLog or osquery installed and configured on your endpoints to forward events to a USM Anywhere Sensor, these methods are still supported and you do not need to replace them.

Refer to the following topics for detailed information about sending log data from your host systems:

Log Collection by Advanced BlueApps

Advanced BlueApps use API and system integrations to actively collect data directly from a third-party device or service. See Advanced BlueApps for detailed information about these integrations.

Log Collection from Various Third-Party Devices and Systems

To support the wide array of third-party devices and systems you may have in your environments, LevelBlue provides instructions in the BlueApps UI to assist you with configuration of the most commonly-used external data sources to send log data to a USM Anywhere Sensor.

Syslog Parsing

It is important for the date and time listed in the header of the syslog files to be formatted correctly from the data source for USM Anywhere to properly parse the information when generating event details. Some formats for date and time, such as the ISO format, may create conflicts in the way event information is parsed. Instead, it is recommended you follow the practice of using the IETF BSD specifications for syslog formatting, resulting in the following timestamp format in the syslog headers: Mmm dd hh:mm:ss. Per the BSD protocol, the header should contain a TIMESTAMP field and HOSTNAME field, and the MSG portion of the log should contain a TAG field and a CONTENT field.

Note that the use of an intermediary log collection agent can cause parsing errors by adding extra, unformatted context to the syslog messages.