# OSSEC Scanner supports OSSEC logs, which contain a wide range of security-related information gathered from various sources on a system for host-based intrusion detection. In order for Scanner to see them, you need to configure a workflow to can push logs to an S3 bucket that Scanner is linked to. In this guide, we will show how to use Wazuh to write OSSEC logs to a local file, and then use Fluentd to push these logs to S3. ## Step 1: Publish to S3 Wazuh has a module called **fluent-forward** that will publish OSSEC logs to Fluentd. You can then use Fluentd to write logs to an S3 bucket. You can follow the Wazuh documentation to configure the **fluent-forward** module. Make sure to set the log format to **json**. See these Wazuh documentation articles for more information: * [Forward alerts with Fluentd](https://wazuh.com/blog/forward-alerts-with-fluentd/) * [fluent-forward](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/fluent-forward.html) You can follow the Fluentd documentation to configure it to write logs to S3. Make sure to configure the output format to be **JSON**. See: [Fluentd s3 output module](https://docs.fluentd.org/output/s3) ## Step 2: Ingest via Scanner Collect Follow the instructions [here](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-aws-s3) to ingest logs from S3 via Scanner Collect --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/ossec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.