Supported services
All the services except Inspector and CloudWatch Logs get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively.
The next table contains the more relevant information about configuring each service in ossec.conf:
Provider |
Service |
Configuration tag |
Type |
Path to logs |
Amazon |
bucket |
cloudtrail |
<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
vpcflow |
<bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
config |
<bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
custom |
<bucket_name>/<prefix>/<year>/<month>/<day> |
|
Amazon |
bucket |
guardduty |
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh> |
|
Amazon |
bucket |
waf |
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh> |
|
Amazon |
service |
inspector |
||
Amazon |
service |
cloudwatchlogs |
||
Cisco |
bucket |
cisco_umbrella |
<bucket_name>/<prefix>/<year>-<month>-<day> |