AlienVault® USM Anywhere™

Dtex Systems Dtex

When you configure Dtex Systems Dtex to send log data to USM Anywhere, you can use the Dtex plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Dtex Systems
Device Type Intrusion Detection System
Connection Type Syslog

Integrating Dtex Systems Dtex

Before you configure the Dtex Systems Dtex integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Dtex Systems Dtex to send Syslog messages to USM Anywhere

  1. Configure your /etc/rsyslog.conf file as follows:

    $ModLoad imfile

    $InputFileName <path to location where Dtex logs are saved>

    $InputFileTag dtex

    $InputFileSeverity <desired log level>

    $InputFileFacility <local syslog facility>


    dtex.log.* @@<USM Anywhere_IP_Address>:514

    For the $InputFileName parameter, you add the file path to the log file. The $InputFileFacility parameter specifies the syslog facility assigned to read log entries. For the $InputFileSeverity parameter, specify the log level corresponding to the severity of log messages you want to receive. (The default level is notice.)

  2. Restart the rsyslog service.

Plugin Enablement

The Dtex plugin automatically processes all messages when the raw message contains "\|Dtex\|".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • affected_platform
  • application_protocol
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • destination_address
  • destination_hostname
  • destination_port
  • device_external_id
  • device_process_name
  • event_description
  • event_name
  • event_severity
  • file_path
  • plugin_device
  • plugin_device_type
  • rep_device_mac
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • request_url
  • security_group_id
  • session
  • source_address
  • source_hostname
  • source_ntdomain
  • source_port
  • source_process_id
  • source_username
  • time_end
  • time_start
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: