Supported services

All the services except Inspector Classic and CloudWatch Logs get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector Classic and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively.

New in version 4.4.2.

The <subscriber type='TYPE'> </subscriber> tags are added in order to obtain logs from Amazon Security Lake buckets.

The next table contains the most relevant information about configuring each service in the ossec.conf file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:

Provider

Service

Configuration tag

Type

Path to logs

Amazon

CloudTrail

bucket

cloudtrail

<bucket_name>/<prefix>/AWSLogs/<suffix>/<organization_id>/<account_id>/CloudTrail/<region>/<year>/<month>/<day>

Amazon

VPC

bucket

vpcflow

<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>

Amazon

Config

bucket

config

<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/Config/<region>/<year>/<month>/<day>

Amazon

ALB

bucket

alb

<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>

Amazon

CLB

bucket

clb

<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>

Amazon

NLB

bucket

nlb

<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>

Amazon

KMS

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

Macie

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

Trusted Advisor

bucket

custom

<bucket_name>/<prefix>/<year>/<month>/<day>

Amazon

GuardDuty Native

bucket

guardduty

<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/GuardDuty/<region>/<year>/<month>/<day>

Amazon

GuardDuty Firehose

bucket

guardduty

<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>

Amazon

WAF

bucket

waf

<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>

Amazon

S3 Server Access logs

bucket

server_access

<bucket_name>/<prefix>

Amazon

Inspector Classic

service

inspector

Amazon

CloudWatch Logs

service

cloudwatchlogs

Amazon

Amazon ECR Image scanning

service

cloudwatchlogs

Amazon

Amazon Security Lake

subscriber

security_lake

Amazon

Custom Logs Buckets

subscriber

buckets

Cisco

Umbrella

bucket

cisco_umbrella

<bucket_name>/<prefix>/<year>-<month>-<day>