# OSSEC

Scanner supports OSSEC logs, which contain a wide range of security-related information gathered from various sources on a system for host-based intrusion detection. In order for Scanner to see them, you need to configure a workflow to can push logs to an S3 bucket that Scanner is linked to.

In this guide, we will show how to use Wazuh to write OSSEC logs to a local file, and then use Fluentd to push these logs to S3.

## Step 1: Publish to S3

Wazuh has a module called **fluent-forward** that will publish OSSEC logs to Fluentd. You can then use Fluentd to write logs to an S3 bucket.

You can follow the Wazuh documentation to configure the **fluent-forward** module. Make sure to set the log format to **json**. See these Wazuh documentation articles for more information:

* [Forward alerts with Fluentd](https://wazuh.com/blog/forward-alerts-with-fluentd/)
* [fluent-forward](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/fluent-forward.html)

You can follow the Fluentd documentation to configure it to write logs to S3. Make sure to configure the output format to be **JSON**. See: [Fluentd s3 output module](https://docs.fluentd.org/output/s3)

## Step 2: Ingest via Scanner Collect

Follow the instructions [here](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-aws-s3) to ingest logs from S3 via Scanner Collect