When you configure OSSEC integration to send log data to a deployed USM Anywhere AWS Sensor, you can use the OSSEC plugin to translate the raw log data into normalized events for analysis.
OSSEC is an open-source, host-based intrusion detection system that performs the following functions:
- Log analysis
- File integrity checking
- Policy monitoring
- Rootkit detection
- Real-time alerting
- Active response
If you already have a working OSSEC installation and want to integrate the alerts with your USM Anywhere AWS account, follow this procedure. Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.
To integrate OSSEC into USM Anywhere on AWS
Make sure that there is connectivity between the machine running the OSSEC server and a USM Anywhere sensor deployed in your AWS account.
Configure the OSSEC server to send alerts to USM Anywhere over syslog:
Add the following directive under ossec_config:
USM-ANYWHERE-ADDRESS = the IP address of the USM Anywhere sensor
Enable syslog output and restart the OSSEC server:
/var/ossec/bin/ossec-control enable client-syslog
Verify that OSSEC activated syslog output:
$ tail -n 1000 /var/ossec/logs/ossec.log | grep csyslog
ossec-csyslogd: INFO: Started (pid: 19412).
ossec-csyslogd: INFO: Forwarding alerts via syslog to: ‘USM_ADDRESS:514′.
For plugin enablement information, see Adding AlienApps to an Asset.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
For troubleshooting, refer to the vendor documentation: