Default Functions Used in the USM Appliance Plugins

The USM Appliance Server must receive normalized events in a predefined format. USM Appliance provides a number of built-in functions you can used to convert the extracted data obtained from matching the regular expressions to the format expected in normalized USM Appliance event fields.

For example, time and date in USM Appliance is in the format of YYYY-MM-DD HH:MM:SS (for example, 2013-12-31 22:57:00), but different data sources may use different formats for time and date. You can use the normalize_date() function, which simplifies the process of normalizing events, by converting different time formats into the format accepted by the server.

Another function often used is resolv(), which translates hostnames into IPv4 addresses by performing DNS queries.

date={normalize_date($date)}

dst_ip={resolv($dst_ip)}

src_ip={resolv($src_ip)}

The following table provides a list of the built-in USM Appliance functions.

USM Appliance default plugin functions
Function Description
geoip_getCity (addr) Returns the corresponding city name according to the built-in GeoIP database.
geoip_getCountryCode (addr) Returns the corresponding country according code to the built-in GeoIP database.
geoip_getCountryName (addr) Returns the country name of the location this IP address is in.
geoip_getLatitude (addr) Returns the latitude of the location this IP address is in.
geoip_getLongitude (addr) Returns the longitude of the location this IP address is in.
geoip_getMetroCode (addr) Returns the metro code of the location this IP address is in.
geoip_getPostalCode (addr) Returns the postal code of the location this IP address is in.
geoip_getRegionCode (addr) Returns the region code of the location this IP address is in.
geoip_getRegionName (addr) Returns the region name of the location this IP address is in.
geoip_getTimeZone (addr) Returns the timezone of the location this IP address is in.
resolv (host) Returns the IP address of a host. The lookup is first performed on a local copy of the asset database on the sensor, then the configured resolver (usually DNS) is tried. A host not found will result in a value of 0.0.0.0.
resolv_ip (addr) Translates an IPv4 address to hostname.
resolv_port (port_name) Takes a network service name and returns the port number on which the service is defined by /etc/services.
md5sum (string) Returns the MD5 hash of a field.
normalize_protocol (protocol) Returns protocol information.
normalize_date_american (string_date) Returns a UNIX epoch date in the American date format.
normalize_date (string_date, american_format=False) Returns a UNIX epoch date not in the American date format.
upper (string) Returns a uppercase version of the string supplied.
sanitize (string) Converts occurrences of "\n“ to "\r“.