Supported services
All the services except Inspector
get the data from log files stored in an S3
bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket>
tags, while Inspector
service is configured inside <service type='inspector'> </service>
tags.
The next table contains the more relevant information about configuring each service in ossec.conf
:
Provider |
Service |
Configuration tag |
Type |
Path to logs |
Amazon |
bucket |
cloudtrail |
<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
vpcflow |
<bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
config |
<bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
guardduty |
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh> |
|
Amazon |
bucket |
waf |
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh> |
|
Amazon |
service |
inspector |
||
Cisco |
bucket |
cisco_umbrella |
<bucket_name>/<prefix>/<year>-<month>-<day> |