Supported services

All the services except Inspector get the data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector service is configured inside <service type='inspector'> </service> tags.

The next table contains the more relevant information about configuring each service in ossec.conf:

Provider

Service

Configuration tag

Type

Path to logs

Amazon

CloudTrail

bucket

cloudtrail

<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>

Amazon

VPC

bucket

vpcflow

<bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>

Amazon

Config

bucket

config

<bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>

Amazon

KMS

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

Macie

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

Trusted Advisor

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

GuardDuty

bucket

guardduty

<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>

Amazon

WAF

bucket

waf

<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>

Amazon

Inspector

service

inspector

Cisco

Umbrella

bucket

cisco_umbrella

<bucket_name>/<prefix>/<year>-<month>-<day>