Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide Table of Content 1 Overview ..................................................................................................................................................... 4 1.1 OSSIM Agent Role ............................................................................................................................... 4 1.1.1 Event Collection .......................................................................................................................... 4 1.1.2 Event Normalization ................................................................................................................... 4 1.2 OSSIM Server Role .............................................................................................................................. 6 1.2.1 Event Enrichment ....................................................................................................................... 6 1.2.2 Policies and Actions .................................................................................................................... 7 1.3 The Configuration Workflow .............................................................................................................. 8 2 Configuring Detector Plugins .................................................................................................................... 10 2.1 Rsyslog .............................................................................................................................................. 10 2.1.1 Configuration File ..................................................................................................................... 10 2.1.2 Listener Configuration .............................................................................................................. 10 2.1.3 Filters ........................................................................................................................................ 10 2.2 OSSIM Agent Configuration .............................................................................................................. 11 2.2.1 Configuration File ..................................................................................................................... 11 2.2.2 Parameters ............................................................................................................................... 11 2.3 Detector Plugin Configuration .......................................................................................................... 13 2.3.1 Configuration Files .................................................................................................................... 13 2.3.2 Common Event Types ............................................................................................................... 13 2.3.3 Parameters ............................................................................................................................... 13 2.3.4 Using Local (Plugin) Variables ................................................................................................... 15 2.3.5 Using Global (Agent) Variables ................................................................................................. 15 2.4 Aliases ............................................................................................................................................... 16 2.4.1 Path ........................................................................................................................................... 16 2.4.2 Predefined Regular Expressions ............................................................................................... 16 2.5 Functions .......................................................................................................................................... 16 2.5.1 Path ........................................................................................................................................... 16 2.5.2 Conversions .............................................................................................................................. 16 2.5.3 Application Specific Translations .............................................................................................. 17 2.5.4 User Defined Translations ........................................................................................................ 17 2.6 Event Fields ....................................................................................................................................... 18 2.7 Rules ................................................................................................................................................. 19 2.7.1 Evaluation Order....................................................................................................................... 19 Page 2 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide 2.7.2 Structure ................................................................................................................................... 19 2.8 Loading Plugins ................................................................................................................................. 21 2.8.1 Priority and Reliability values ................................................................................................... 21 2.8.2 SQL Statement .......................................................................................................................... 21 2.9 Plugin Activation ............................................................................................................................... 22 2.9.1 Activate the Plugin on the Server Side ..................................................................................... 22 2.9.2 Activate the Plugin on the Agent Side ...................................................................................... 22 3 Log files ..................................................................................................................................................... 22 4 Debugging ................................................................................................................................................. 22 5 Appendix ................................................................................................................................................... 23 5.1 Regular Expressions .......................................................................................................................... 23 5.2 Configuration Example ..................................................................................................................... 25 5.2.1 Scenario .................................................................................................................................... 25 5.2.2 Write a script to monitor the “last” status ............................................................................... 25 5.2.3 Log sample ................................................................................................................................ 25 5.2.4 Collect the logs in a new log file ............................................................................................... 25 5.2.5 Restart “rsyslog”....................................................................................................................... 26 5.2.6 Check whether the new entries are written in the new log file ............................................... 26 5.2.7 Create a plugin file .................................................................................................................... 26 5.2.8 Register the Plugin with the OSSIM Agent ............................................................................... 29 5.2.9 Register the Plugin with the OSSIM Server .............................................................................. 30 5.2.10 Check whether the plugin was successfully registered ............................................................ 31 5.2.11 Restart the OSSIM Server ......................................................................................................... 31 5.2.12 Restart the OSSIM Agent .......................................................................................................... 31 5.2.13 Check whether Events and Alarms are received ...................................................................... 32 Page 3 Copyright © Alienvault 2010
Page 1: Building Collector Plugins Admin Gu
Page 5 and 6: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?