Supported services
All the services except Inspector get the data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector service is configured inside <service type='inspector'> </service> tags.
The next table contains the more relevant information about configuring each service in ossec.conf:
Service |
Configuration tag |
Type |
Path to logs |
bucket |
cloudtrail |
<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day> |
|
bucket |
vpcflow |
<bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day> |
|
bucket |
config |
<bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day> |
|
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
bucket |
guardduty |
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh> |
|
service |
inspector |