Role AvailabilityRead-OnlyInvestigatorAnalystManager
USM Anywhere receives syslog log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an BlueApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the BlueApp with an asset in USM Anywhere. There are two methods for creating these associations:
  • By assigning one or more assets to the BlueApp. See Assign Assets to BlueApps for details.
  • By adding one or more BlueApps to the asset (this document).
You can use a combination of these methods to ensure that USM Anywhere can identify the correct BlueApps for the log data it receives from an asset.
Assigning an BlueApp to an asset disables the usage of hints for the logs coming from this asset; therefore, USM Anywhere only uses the assigned BlueApps to parse and normalize those logs.If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM Anywhere, LevelBlue recommends that you use at least two such forwarders: one forwarder for all the auto-discoverable BlueApps, and the other for the non-auto-discoverable BlueApps. In the latter case, you must create an asset in USM Anywhere to denote the forwarder and assign it to the non-auto-discoverable BlueApps. This ensures that USM Anywhere uses the correct BlueApp to parse your logs.
Adding an BlueApp to an asset requires that you know what log data that the USM Anywhere Sensor receives from the asset and which BlueApp(s) are the best match for parsing and normalizing that data to produce meaningful events for your needs. You can add an BlueApp on the Asset Details page. The Asset Details page provides access to all of the available information and tools for managing an individual asset. See Asset Management for more information about managing discovered assets in USM Anywhere. To add an BlueApp from the Asset Details page
  1. Go to Environment > Assets.
  2. (Optional.) Use the Search & Filters option to filter the list and help you locate the asset you want. See Searching Assets for more information.
  3. Click the icon next to the asset name and then select Full Details.
    This displays the Asset Details.
  4. At the bottom of the expanded page, select the BlueApps tab and click Add BlueApp.
  5. In the dialog box, select the BlueApp you want to assign to the asset. Enter full or part of the name in the Set a New BlueApp field and select one from the displayed list.
    The system displays this message at the top of the page: BlueApp added successfully.
  6. (Optional.) Repeat the previous step to add another BlueApp.
  7. Click the icon to close the dialog box. On the BlueApps tab, you can see the list of BlueApps added.