Tutorial: Create a Plugin for Microsoft Exchange

Applies to Product: USM Appliance™ AlienVault OSSIM®

In this tutorial, we use Microsoft Exchange to show how to develop a log plugin. The preferred method of collecting logs from the Exchange Server is through NXLog. See Microsoft Exchange Server through NXLog for details.

Plugin Development Steps

  1. Examine the log file from the data source from which you want to create a plugin. Identify all the types of log messages, as well as messages sharing a common structure, but using different values.
  2. Create the <filename>.cfg file, either by writing a new file or by copying an existing and similar file, then rewriting it.
  3. Give the plugin a numeric ID. (See Creating a Plugin Configuration File for available values.)
  4. Specify the location of the file from which the plugin should read.
  5. Write regular expressions to parse individual messages from the log file.
  6. Test your regular expressions to see if they perform as they should, using a testing tool such as the one available at regex101.com.
  7. Create the .sql file by copying an existing and similar .sql file. Change the fields to describe events included in the custom plugin.
  8. Write the .sql file to the SIEM database.

  9. Enable the plugin through either the AlienVault Setup menu, the USM Appliance web UI, or a USM Appliance asset. (See Enable Plugins.)
  10. Test the plugin by sending logs from the data source to USM Appliance. (See Verify that an Enabled Plugin Is Working Properly.)