Documentation Center
AlienVault® USM Anywhere™

Collecting Linux System Logs

In USM Anywhere, you can centralize the collection and analysis of Linux event logs from your servers, making it easier to track the health and security of these systems.

Note: With the addition of the AlienVault Agent, USM Anywhere provides an easier implementation of HIDS, FIM, and endpoint log collection across your Linux environments in the cloud and on premises. If you already have osquery installed and configured on your endpoints to forward events to a USM Anywhere Sensor, this method is still supported.

Using the AlienVault Agent

The AlienVault Agent provides simple installation, configuration, and management for host monitoring in USM Anywhere without requiring a lot of manual configuration and setup tasks of a third-party agent. When you install the AlienVault Agent on a Linux host, it communicates over an encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere. The agent installation script configures a default set of folders, files, and registries to automatically support file integrity monitoring. You can set the configuration profile to manage the queries that USM Anywhere runs for an asset associated with a deployed agent.

This is the best choice for monitoring endpoints outside of the network or in remote locations or where deploying a sensor is impractical. Additionally, it provides the ability to query the assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. for additional forensic data as part of your investigation activities. For more information about the AlienVault Agent and how you can use it to simplify your endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities, see The AlienVault Agent.

After you have the AlienVault Agent installed on your endpoints, you can verify the agent query events in USM Anywhere.

Select the AlienVault Agent plugin to filter the Events page

Using a Manual syslog and osquery Configuration

The use of syslogAn industry standard message logging system that is used on many devices and platforms. is required to send log data from Linux systems to the USM Anywhere Sensor IP address over UDP on port 514, over TCP on port 601, or TLS-encrypted data over TCP on port 6514. If you want to gain more visibility and use file integrity monitoring (FIM) in your Linux systems, USM Anywhere also supports osquery by default.

Using syslog to Send Logs from a Linux System

Syslog is an industry standard message logging system that is used on many devices and platforms. It provides a mechanism for network devices to send event messages to a logging server, also known as a syslog server. For example, a router might send messages about users logging on to console sessions, while a web server might log access-denied events.

Follow the procedure that corresponds to the Linux distribution you use.

Collecting Logs from Linux Using osquery

osquery is an operating system instrumentation framework for Linux that exposes this operating system as a high-performance relational database so that SQL queries can explore the operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes.

You must have sudoA program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

For information about installing osquery with a Log Agent wrapper in an AWS environment, see Installing osquery and CloudWatch Through the Log Agent.

To collect logs from Linux using osquery using a manual configuration

  1. If you do not yet have osquery, download it and follow the instructions appropriate for your operating system.
  2. Create a text file called osquery.conf and copy-paste the contents of this file into it.

    Important: After you copy-paste the text, make sure to edit it so that all strings with equals signs (=) in them remain on the same line. Otherwise, this procedure will fail.

  3. Save osquery.conf and copy it to /etc/osquery/.

    Note: We recommend leaving the queries created by default, but you can create your own osquery configuration.

  4. Start the osquery daemon:
  5. osqueryd --daemonize --config_path /etc/osquery/osquery.conf

  6. If you have not already done so, use one of the procedures in the Using syslog to Send Logs from a Linux System section to configure syslog to send data to the USM Anywhere Sensor.

    This should include restarting the syslog service.

  7. Verify that you can see osquery events in USM Anywhere.

    Select the Osquery plugin to filter the Events page