Verify that an Enabled Plugin Is Working Properly

Applies to Product: USM Appliance™ LevelBlue OSSIM®

It's good practice to test whether or not a plugin is working correctly, after you have enabled it in USM Appliance and configured the application or device to forward logs to USM Appliance.

Note: You can confirm the plugins enabled at the sensor level by viewing the [plugin] section of the /etc/ossim/agent/config.cfg file. Per-asset plugin configurations are stored in the /etc/ossim/agent/config.yml file.

To confirm an enabled plugin is working properly

  1. In the USM Appliance web UI, go to Analysis > Security Events (SIEM).
  2. In Data Sources, select the plugin for which you expect to see events.

    Security Events (SEIM) page from Analysis.

If you see events, the plugin is working properly.

If there are no events, you can troubleshoot by following the steps below.