Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins - Admin Guide
1 Overview
1.1 OSSIM Agent Role
1.1.1 Event Collection
The collection process involves extracting the data logs from the source systems (Security, OS,
RDBMS, etc.) and allows first steps for event log filtering. At this stage can be decided what is going
to be read by the OSSIM Agent and what is going to be discarded before having an impact on the
system performance.
Before starting to write a plugin some actions to reduce the amount of events could be considered:
- Manage the log level settings at the application and managed device level
- Fix the problem that is generating events
- Use Pcap filters to ignore certain hosts or networks (Snort, Tcpdump...)
- In deployments with a big amount of analysed data, filtering at the application level
should be done whenever possible
o
Log Files
Good practice is to use one log file per plugin in order to increase performance. Having just
one generic log file, all the plugins would have to read the same extensive content in order
to catch the few relevant entries.
Using rsyslog it is possible to filter the collected logs based on the syslog tags.
1.1.2 Event Normalization
In the normalization stage a series of rules or functions applies to the data extracted from the source
system in order to transform it in a common OSSIM format.
o
Raw Event
The raw event might be a generic syslog message, an application log, an SNMP trap, the
result of an SNMP or SQL Query or some other kind of information in a more or less
structured form that is appended to a log file.
Example:
dmz01:/var/log/auth.log:
May 30 13:15:52 dmz01 sshd[12980]: Accepted password for root from
192.168.178.20 port 4445 ssh2
Page 4 Copyright © Alienvault 2010