AlienVault® USM Anywhere™

VMware SSO

When you configure VMware vCenter SSO to send log data to USM Anywhere, you can use the VMware SSO plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor VMware
Device Type Network access control
Connection Type Syslog

Integrating VMware SSO

Before you configure the VMware vCenter SSO Server integration, you must have the IP Address of the USM Anywhere Sensor.

To configure VMware vCenter SSO Server to send log data to USM Anywhere

  1. Log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance by using the vSphere Web Client.
  2. On the vSphere Web Client Home page, click System Configuration.
  3. Under System Configuration, click Nodes and select a node from the list.
  4. Click the Related Objects tab.

    You see a list of services running in the node you selected.

  5. Right-click on VMware Syslog Service and select Settings.
  6. Click Edit.
  7. From the Common Log Level drop-down menu, select *.
  8. In the Remote Syslog Host text box, enter the USM Anywhere Sensor IP address.
  9. In the Remote Syslog Port text box, enter 514.
  10. From the Remote Syslog Protocol drop-down menu, select UDP.
  11. Click OK.
  12. From the Actions menu, click Restart, so that the configuration changes are applied.

Plugin Enablement

For plugin enablement information, see Manual Integration Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • application
  • application_type
  • customfield_0
  • customfield_1
  • customfield_2
  • customheader_0
  • customheader_1
  • customheader_2
  • destination_address
  • destination_hostname
  • destination_ntdomain
  • destination_user_group
  • destination_username
  • duration
  • event_category
  • event_group
  • event_name
  • event_severity
  • external_id
  • rep_device_hostname
  • source_ntdomain
  • source_process
  • source_username
  • user_role

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: