Documentation Center
AlienVault® USM Anywhere™

Installing osquery and CloudWatch Through the Log Agent

The Log Agent is a wrapper for installing third-party software with USM Anywhere -specific configurations that collect and transmit system events and logs on Linux systems in your AWS environment. It detects your Linux distribution and version, and decides if it's supported.

Note: If you prefer a more manual approach to installation, see Collecting Logs from Linux Using osquery.

Supported Linux Distributions

The USM Anywhere Log Agent installer supporting osqueryOsquery is a agent that runs on Linux hosts used for File Integrity Monitoring (FIM) and log collection. and an AWS CloudWatch configuration is available for the following Linux distributions and versions.

Distribution Version
Ubuntu 12.04 Precise
14.04 Trusty
16.04 Xenial
RHEL 6.6
6.7
6.8
7.1
7.2
7.3
CentOS 6.6
6.7
6.8
7.0
7.1
7.2
7.3

About the osquery and CloudWatch Log Agent

osquery

After distribution and version verification, the Log Agent installs osquery for S3 from AWS.

It creates a custom osquery.conf file that queries the following useful set of events:

  • file_events
  • users
  • listening_ports
  • crontab
  • kernel_modules
  • processes
  • yara_events (Currently, we don't install any yara configuration; this is for future development.)
  • suid_bin
  • outbound_connections

Additionally, the Log Agent installs python and pip on Ubuntu 16+, if not already installed.

CloudWatch

The Log Agent assembles a distribution-specific CloudWatch configuration file with the following Log Group mappings:

File Log Group Name Caveats
/var/log/osquery/osqueryd.results.log osquery-Logs
/var/log/auth.log Linux-Auth-Logs Ubuntu only
/var/log/secure Linux-Auth-Logs All other Linux distributions
/var/log/apache/access.log Apache-Access-Logs
/var/log/httpd/access_log Apache-Access-Logs All other Linux distributions
/var/log/audit/audit.log Linux-Audit-Logs

All log streams within the groups are created using the AWS instance id.

Note: If you have installed your Apache or other web servers to nonstandard locations, the Log Agent won't discover them.

The Log Agent downloads and runs the AWS CloudWatch Logs Agent installer from the AWS S3 page for your platform and distribution's directory.

Important: Make sure that the VM where you're running the Log Agent installer has connectivity to that download page.

Log Agent Instance Prerequisites

Installing the Log Agent

To install the Log Agent

  1. Download the tarball from the distribution website (http://downloads.alienvault.cloud/usm-anywhere/usma-logagent-linux/usma-logagent-linux-latest.tgz).

  2. Upload and extract the tarball in a convenient directory on the target host, and go to the sub-directory created (for example, usma-logagent-0.999/).

  3. Run the script as root or perform passwordless sudo elevation.

    sudo ./LinuxConfigurationScript.sh

    After the CloudWatch agent starts, it begins publishing logs to the CloudWatch Log Groups, where the USM Anywhere default scheduled jobs detect them. You can expect new events to take from five to ten minutes to appear in the USM Anywhere Events page.