Enable Plugins

Applies to Product: USM Appliance™ LevelBlue OSSIM®

LevelBlue provides more than one way to enable plugins in USM Appliance. First, you can enable plugins on specific discovered assets, or you can enable plugins globally on USM Appliance Sensors. In addition, based on the specific plugin, you can enable plugins using different tools, including the USM Appliance web UI, the Getting Started Wizard, or the LevelBlue console.

The following topics provide more information about the two choices available for enabling plugins.

Important: Be careful not to enable the same plugin twice, because this will generate duplicate events.

Below is a list of plugins that can only be enabled at the sensor level.

Plugin Name


av-useractivity A MySQL database plugin.
drupal-wiki A MySQL database plugin.
eljefe A MySQL database plugin.
linuxdhcp-idm An IDM plugin for Linux DHCP server.
monit Plugin for the monit service used in USM Appliance.
moodle A MySQL database plugin.
ossec-idm-single-line An IDM plugin for LevelBlue HIDS A USM Appliance feature and data source for intrusion detection that enables host-based log collection, file integrity monitoring, and, on Windows hosts only, rootkit detection and Windows registry integrity monitoring..
ossec-single-line Also known as the LevelBlue HIDS plugin. Enabled by default.
post_correlation A MySQL database plugin.
prads An IDM plugin for passive asset discovery. Enabled by default.
ssh-remote A pluign for OpenSSH.
suricata Also known as the LevelBlue NIDS plugin. Enabled by default.

For those plugins that allow it, enabling plugins on specific assets is generally recommended over enabling plugins on the USM Appliance Sensor. Plugins enabled at the asset level are automatically configured, whereas plugins enabled at the sensor level must often be configured first. For log-based plugins, this means setting up rsyslog collection and processing, and log rotation. (See Configure the USM Appliance Sensor to Receive Logs Through Syslog.)

Convenience and performance may also be factors in choosing whether to enable plugins on individual assets, or to enable them on the USM Appliance Sensor. Enabling plugins on individual assets can help distribute the load of handling heavy traffic by running copies of the plugin on multiple processors or cores, rather than on a single one. However, if you want to use the same plugin with a large number of assets, and volume of traffic is not an issue, you may find it easier to enable and configure the plugin on the sensor.

Note: In addition to enabling the plugin, you must also configured the application or device that the plugin is intended for to forward its log to USM Appliance. For your convenience, LevelBlue has composed a list of most commonly used devices and how to configure log forwarding on them. See Configure Log Forwarding on Commonly Used Data Sources.