The Log Agent is a wrapper for installing third-party software with USM Anywhere -specific configurations that collect and transmit system events and logs on Linux systems in your AWS environment. It detects your Linux distribution and version, and decides if it's supported.
Note: If you prefer a more manual approach to installation, see Collecting Logs from Linux Using osquery.
The USM Anywhere Log Agent installer supporting osqueryOsquery is a agent that runs on Linux hosts used for File Integrity Monitoring (FIM) and log collection. and an AWS CloudWatch configuration is available for the following Linux distributions and versions.
About the osquery and CloudWatch Log Agent
After distribution and version verification, the Log Agent installs osquery for S3 from AWS.
It creates a custom osquery.conf file that queries the following useful set of events:
- yara_events (Currently, we don't install any yara configuration; this is for future development.)
Additionally, the Log Agent installs python and pip on Ubuntu 16+, if not already installed.
The Log Agent assembles a distribution-specific CloudWatch configuration file with the following Log Group mappings:
|File||Log Group Name||Caveats|
|/var/log/secure||Linux-Auth-Logs||All other Linux distributions|
|/var/log/httpd/access_log||Apache-Access-Logs||All other Linux distributions|
All log streams within the groups are created using the AWS instance id.
Note: If you have installed your Apache or other web servers to nonstandard locations, the Log Agent won't discover them.
The Log Agent downloads and runs the AWS CloudWatch Logs Agent installer from the AWS S3 page for your platform and distribution's directory.
Important: Make sure that the VM where you're running the Log Agent installer has connectivity to that download page.
Log Agent Instance Prerequisites
The instance must
- Be one of the supported Linux distributions.
- Have an IAM Role with the proper policy to allow it to publish to CloudWatch logs.
Have at least temporary internet access, so it can get to the Linux distribution repositories:
- osquery repository
- AWS CloudWatch log agent installation endpoint
- The default CloudWatch monitoring jobs created in the USM Anywhere Job Scheduler should have already been enabled within USM Anywhere.
- You must have root permissions or be able to perform sudoA program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. elevation to run the script. The script accepts no command-line arguments nor does it interact with users.
Installing the Log Agent
To install the Log Agent
Download the tarball from the distribution website (http://downloads.alienvault.cloud/usm-anywhere/usma-logagent-linux/usma-logagent-linux-latest.tgz).
Upload and extract the tarball in a convenient directory on the target host, and go to the sub-directory created (for example, usma-logagent-0.999/).
Run the script as root or perform passwordless sudo elevation.
After the CloudWatch agent starts, it begins publishing logs to the CloudWatch Log Groups, where the USM Anywhere default scheduled jobs detect them. You can expect new events to take from five to ten minutes to appear in the USM Anywhere Events page.