AlienVault® USM Appliance™

Create Sample Log Files and Data for Requested Plugins

Applies to Product: USM Appliance™ AlienVault OSSIM®

As part of submitting a request for a new AlienVault USM Appliance plugin, you also need to include a log sample or database dump that includes all the relevant events and data patterns you want the plugin to be able to process and analyze for events. Before sending the sample file as part of your request, you may also want to examine the sample file, remove any extraneous entries of data patterns you don't need to capture, while ensuring the sample file contains as many of the data patterns you do want the plugin to process.

Creating Sample Files for Asset Log-based Plugins

Besides a direct examination and cleanup of log files generated by an asset, AlienVault also recommends a process in which you forward the asset’s syslog files directly to the USM Appliance Sensor. Then, over the span of a few days, try to invoke as many event types as possible, so that relevant data will be captured as syslog entries in the /var/log/alienvault/devices/<IPaddress> folder saved on the USM Appliance Sensor.

Note: Plugin syslog files for each asset are saved on the USM Appliance Sensor in individual /var/log/alienvault/devices/<IPaddress> folders, one folder per asset IP address.

Following this data collection period, you can pull this log file from the sensor and deliver it along with your plugin request, so the AlienVault Plugin Team will have a good sampling of data patterns with which to develop the new plugin.

Creating Sample Log Files for Windows-Based Applications

Creating a plugin sample log file for Windows applications that only logs events to the Windows Event Viewer requires a different approach. In this case, one effective way to create a useful sample log file, to submit with a new plugin request, is to deploy an AlienVault HIDS Agent on the relevant Windows host. You can then configure the agent’s ossec.conf file to capture the appropriate events from the Windows host.

Note: For details on deploying a HIDS Agent, see Deploy AlienVault HIDS Agents. For details on configuring the HIDS Agent for event logging, see Tutorial: Reading a Log File with a HIDS Agent on Windows.

To configure the logging of events by the HIDS agent, you can perform Tasks 1 and 2 of the tutorial on reading log files with a HIDS agent. Task 1 specifies the source location of data generated by the Windows application. Task 2 in the tutorial sets the scope of events logged to LOGALL (based on the scope of events defined in the ossec.conf configuration file).

After allowing some time for the HIDS agent to collect log entries, you can check the /var/ossec/archives/archives.log file on USM Appliance for the specific events from the Windows application. To create the sample log file to submit with your plugin request, you can use commands such as cat and grep (Task 3) to trim down the archives.log file to contain only log lines for the specific events you want a new plugin to catch.

Note: As an alternate method to using the HIDS agent to collect log entries for Windows-based hosts and applications, you can also use the NXLog plugin, provided with USM Appliance. Using this method, you can update the nxlog.conf file to define the Windows event data you want to collect for a specific device. You can then submit, with your new plugin request, the log file data collected by the NXLog plugin (located in the /var/log/alienvault/devices/<IPaddress> folder on the USM Appliance Sensor. For more information, see Microsoft Windows Event Logs through NXLog.

Creating Sample Data for Events Stored in a Database

Creating a plugin for events stored in a database generally requires two things. First you must define the query needed to extract information you want to view in events, mapping database information to the standardized USM Appliance event fields. (You may also want to provide some sort of mapping of the database schema with the definition of columns in tables that you want to include in captured event data.) Second, you will need to provide some sort of export or dump of a subset of the data stored in the database to test the plugin.

Note: The methods of exporting data or creating data dumps and database queries will vary based on the specific database engine used, for example, Oracle or SQL Server. Consult your vendor’s documentation for specific information on performing the tasks mentioned.