OSSEC

Scanner supports OSSEC logs, which contain a wide range of security-related information gathered from various sources on a system for host-based intrusion detection. In order for Scanner to see them, you need to configure a workflow to can push logs to an S3 bucket that Scanner is linked to.

In this guide, we will show how to use Wazuh to write OSSEC logs to a local file, and then use Fluentd to push these logs to S3.

Step 1: Publish to S3

Wazuh has a module called fluent-forward that will publish OSSEC logs to Fluentd. You can then use Fluentd to write logs to an S3 bucket.

You can follow the Wazuh documentation to configure the fluent-forward module. Make sure to set the log format to json. See these Wazuh documentation articles for more information:

You can follow the Fluentd documentation to configure it to write logs to S3. Make sure to configure the output format to be JSON. See: Fluentd s3 output module

Step 2: Ingest via Scanner Collect

Follow the instructions here to ingest logs from S3 via Scanner Collect

PreviousOsquery NextSnowflake

Last updated 6 days ago

Was this helpful?

Good night

Step 1: Publish to S3

Step 2: Ingest via Scanner Collect