Documentation Center
AlienVault® USM Anywhere™

PostgreSQL

When you configure PostgreSQL to send log data to USM Anywhere, you can use the PostgreSQL plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor PostgreSQL Global Development Group
Device Type Database Management System
Connection Type Syslog

Integrating PostgreSQL

Before you configure the PostgreSQL integration, you must have the IP Address of the USM Anywhere Sensor.

To configure PostgreSQL to send Syslog messages to USM Anywhere

  1. Add the following settings in the postgresql.conf file:

    log_destination = 'syslog' # Can specify multiple destinations

    syslog_facility='LOCAL0'

    syslog_ident='postgres'

  2. Edit the /etc/syslog.conf file, adding the following text entries to configure log options:

    # .=notice logs authentication messages (L_AUTH).

    # <facility_name>.=notice @<IP_address_of_USM Anywhere>

    # .=err logs module errors for FreeRADIUS.

    # <facility_name>.=err @<IP_address_of_USM Anywhere>

    # .* logs messages to the same target.

    # <facility_name>.* @<IP_address_of_USM Anywhere>

    Set the syslog <facility_name> entry to the same facility name as specified in the postgresql.conf file, for example: LOCAL0.

    To configure a log option, remove the comment tag (#) from any of the active lines that contains an @ symbol.

  3. If your configuration changes do not load automatically, restart the syslog daemon.

    The method to restart the syslog daemon depends on the operating system you are using. The following table lists the commands you can use for different operating systems.

    Operating system distribution Command to restart daemon
    RedHat service syslog restart
    Debian /etc/init.d/syslog restart

    FreeBSD

    /etc/rc.d/syslogd restart

  4. To complete the integration process, reload server parameters and option settings.

    pg_ctl reload -D $PGDATA

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • duration
  • event_description
  • event_name
  • highlight_fields
  • needs_enrichment
  • plugin_device
  • plugin_device_type
  • plugin_rule
  • source_address
  • source_port
  • source_process_id
  • transient

Additional Resources and Troubleshooting

https://www.postgresql.org/docs/9.6/static/runtime-config-logging.html

For troubleshooting, refer to the vendor documentation:

https://www.postgresql.org/docs/7.0/static/trouble.htm