Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide 2 Configuring Detector Plugins 2.1 Rsyslog Rsyslog is the Syslog implementation shipped with OSSIM and allows configuring filtering and forwarding in a really easy way compared to the classical syslog daemon. Syslog is also the common method to send and receive logs. Before starting with the plugin configuration it is recommended to check whether the subset of logs the plugin will normalize are saved in an individual file and whether noise can be filtered before reaching the plugin rules. 2.1.1 Configuration File /etc/rsyslog.conf 2.1.2 Listener Configuration $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 2.1.3 Filters Forward certain events to a local file if $msg contains 'error' then /var/log/error if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains 'error0') then /var/log/somelog Stop processing some events if $msg contains 'error' then ~ Regex in Rsyslog http://www.rsyslog.com/user-regex.php Page 10 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide 2.2 OSSIM Agent Configuration 2.2.1 Configuration File /etc/ossim/agent/config.cfg 2.2.2 Parameters [daemon] daemon: pid: [event-consolidation] [log] Daemon mode (True or False) Path to the PID file (Process identifier) Enables event consolidation at agent level. It is recommended to use polices instead of this feature as consolidation at the agent level affects the correlation process. by_plugin: enable: time: Example: [event-consolidation] List of plugins that will be consolidated Enable or disable (True or False) Wait n seconds to consolidate the events before sending them by_plugin=1001-1150,1501-1550,4001-4010 enable=False time=10 Configures the verbose level and the path to the different log files error: file: stats: [output-plain] verbose: File in which the error events will be stored File in which all the agent logs will be stored File in which the agent stats will be stored (Every 5 minutes) Configures the verbose level (Debug, Info, Warning, Error or Critical) Writes in a log file what is being sent to the OSSIM Server (Useful for debugging and developing purposes) enable: file: [output-server] Enable or disable (True or False) File in which the output-plain will be stored Configures the server to which events are sent enable: ip: port: Enable or disable sending events to the server (True or False) IP address of the OSSIM Server Listening port of the OSSIM Server Page 11 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 9: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?