USM Anywhere™

H3C Switch

When you configure H3C Switch integration to send log data to USM Anywhere, you can use the H3C Switch plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor H3C
Device type Switch
Connection type syslog
Vendor link

Integrating H3C Switch

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To configure H3C Switch to send log data over syslog to USM Anywhere

  1. Enter system view mode:


  2. Verify that the information center is enabled. (It is enabled by default.)

    info-center enable

  3. Configure an output rule for the log host:

    info-center source {<module-name>|default} {console|monitor|logbuffer|logfile|loghost} {deny|level <severity>}

  4. (Optional) Specify the source IP address for output logs (by default, the source IP address of output log information is the primary IP address of the matching route's egress interface):

    info-center loghost source <interface-type> <interface-number>

  5. (Optional) Configure the time stamp format:

    info-center timestamp loghost {date|iso|no-year-date|none}

    The default setting is date.

  6. Specify a log host and configure related parameters.

    By default, no log host or related parameters are specified.

    info-center loghost [vpn-instance <vpn-instance-name>] {<IP_address_USM_Anywhere>} [port <port_number>][facility <local-number>]


    port_number = 514

    Important: The value of the port-number variable must be the same as the value configured on the log host. Otherwise, the log host can't receive logs.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • customfield_1

  • customheader_1

  • event_description

  • event_name

  • event_outcome

  • event_severity

  • highlight_fields

  • plugin_device

  • plugin_rule

  • source_address

  • transient


For troubleshooting, refer to the vendor documentation: