Supported services

All the services except Inspector get the data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector service is configured inside <service type='inspector'> </service> tags.

The next table contains the more relevant information about configuring each service in ossec.conf:

Provider Service Configuration tag Type Path to logs
Amazon CloudTrail bucket cloudtrail <bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>
Amazon VPC bucket vpcflow <bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>
Amazon Config bucket config <bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>
Amazon KMS bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon Macie bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon Trusted Advisor bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon GuardDuty bucket guardduty <bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon WAF bucket waf <bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon Inspector service inspector  
Cisco Umbrella bucket cisco_umbrella <bucket_name>/<prefix>/<year>-<month>-<day>