USM Anywhere™

Cisco SourceFire IDS

When you configure Cisco SourceFire IDS integration to send log data to USM Anywhere, you can use the Cisco SourceFire IDS plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Intrusion detection system (IDS)
Connection type syslog
Resource link

SourceFire Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

Sending Intrusion Alerts

To configure Cisco SourceFire to send intrusion alerts to USM Anywhere

  1. Log in to the web interface of the SourceFire IDS.
  2. Go to Policies > Intrusion > Intrusion Policy.
  3. Locate the policy you want to apply and select Edit.
  4. Click Advanced Settings.
  5. In the list, locate Syslog Alerting and set it to Enabled.
  6. In the Logging Hosts field, type the IP address of your USM Anywhere Sensor.
  7. Choose an appropriate Facility and Severity from the listbox.

    Note: You may leave these at their default values unless a syslog server is configured to accept alerts for a certain facility or severity.

  8. Near the top-left of the page, click Policy Information.
  9. Click Commit Changes.
  10. Reapply your intrusion policy.

Sending Health Alerts

To send health alerts

  1. Log in to the web user interface.
  2. Navigate to Policies > Actions > Alerts.
  3. Create a new syslog alert by clicking Create Syslog Alert.

    1. In the Name field, provide a name for the alert.
    2. In the Host field, type the IP address of your USM Anywhere Sensor.

      Note: The default syslog port is 514, so you needn't edit the Port field.

    3. Select an appropriate Facility and Severity.
    4. Click Save.

      This returns you to the Alerts page.

  4. Under Create Alert, select Enabled.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customfield_1
  • customfield_2
  • customheader_0
  • customheader_1
  • customheader_2
  • destination_address
  • destination_port
  • event_action
  • event_description
  • event_name
  • source_address
  • source_port
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • timestamp_occured
  • transport_protocol


For troubleshooting, refer to the vendor documentation: