USM Anywhere™

ForeScout Network Access Control

When you configure ForeScout Network Access Control integration to send log data to USM Anywhere, you can use the ForeScout Network Access Control plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Sophos
Device type Network access control (NAC)
Connection type syslog
Vendor link

ForeScout NAC Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To configure ForeScout NAC to forward log data to the USM Anywhere Sensor

  1. From the ForeScout website, download the plug-in for ForeScout CounterACT.

  2. Log in to your ForeScout CounterACT appliance. From the CounterACT Console toolbar, go to Options > Plugins > Install.
  3. Install the syslog plugin.

    After the plugin is installed, it appears in the Plugins pane.

  4. From the Plugins pane, select the syslog plugin and click Configure.

  5. Complete the following parameters:

    1. Syslog Addess — Type the IP address of your USM Anywhere Sensor.

    2. Syslog Port — 514

    3. Identity — Type CounterACT.
    4. Facility — Specify syslog message facility. The default value is local4.
    5. Priority — Specify syslog messages priority. The default value is info.
  6. Click the Events filtering tab, and select the event types that you want to send to your USM Anywhere Sensor.

  7. Click Apply.

  8. To start sending syslog messages, from the Options menu, click Plugins.

  9. Ensure that the syslog plugin is selected.

  10. Click Start.

Plugin Enablement

The ForeScout NAC plugin automatically processes all messages whose syslog tag matches one of the following values: "NAC Policy Log”, "Block Event", "System statistics", or "Discovered Device Log".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason

  • customfield_0

  • destination_address

  • destination_port

  • device_event_category

  • duration

  • event_description

  • event_name

  • event_violation

  • policy

  • source_address

  • source_mac

  • source_process_commandline

  • transport_protocol


For troubleshooting, refer to the vendor documentation: