USM Anywhere™


When you configure OSSEC integration to send log data to a deployed USM Anywhere AWS Sensor, you can use the OSSEC plugin to translate the raw log data into normalized events for analysis.

OSSEC is an open-source, host-based intrusion detection system that performs the following functions:

  • Log analysis
  • File integrity checking
  • Policy monitoring
  • Rootkit detection
  • Real-time alerting
  • Active response

Integrating OSSEC

If you already have a working OSSEC installation and want to integrate the alerts with your USM Anywhere AWS account, follow this procedure. Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To integrate OSSEC into USM Anywhere on AWS

  1. Make sure that there is connectivity between the machine running the OSSEC server and a USM Anywhere sensor deployed in your AWS account.

  2. Configure the OSSEC server to send alerts to USM Anywhere over syslog:

    1. Open /var/ossec/etc/ossec.conf.

    2. Add the following directive under ossec_config:








      USM-ANYWHERE-ADDRESS = the IP address of the USM Anywhere sensor

    3. Enable syslog output and restart the OSSEC server:

      /var/ossec/bin/ossec-control enable client-syslog

      /var/ossec/bin/ossec-control restart

  3. Verify that OSSEC activated syslog output:

    $ tail -n 1000 /var/ossec/logs/ossec.log | grep csyslog


    ossec-csyslogd: INFO: Started (pid: 19412).

    ossec-csyslogd: INFO: Forwarding alerts via syslog to: ‘USM_ADDRESS:514′.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_address
  • destination_port
  • event_category
  • event_description
  • event_name
  • file_hash
  • file_name
  • file_old_hash
  • rep_device_rule_id
  • source_address
  • source_port
  • source_username


For troubleshooting, refer to the vendor documentation: