AlienVault® USM Appliance™

Customize Existing Plugins Yourself

Applies to Product: USM Appliance™ AlienVault OSSIM®

You may want to customize an existing plugin, for example, if you need to update configuration file settings, add or update rules, exclude events, or make regex expression changes. You may also have submitted a request to AlienVault to modify a plugin or create a new one, but you need to change plugin behavior more quickly, while you wait for an update.

Note: To submit a request for a new plugin or an update, see Request a New Plugin or Update to an Existing Plugin through AlienVault. AlienVault updates its plugins on a biweekly basis.

Before You Start

With any existing plugin file you want to make changes to, you must first create a new empty file with the same name and append the .local extension to the file


You can then add your changes to the plugin in the .local file. You only need to include the delta, or items you want to change from the original plugin file, along with the section name that it belongs to. Changes in your local file will then take precedence over any previous settings defined in the original plugin file, and your local file will also not be overwritten by system updates.

Important: AlienVault recommends that you keep any plugin file that you customized or developed until you can verify that AlienVault has included your requested plugin or revision in one of its biweekly updates.

You can change anything within a plugin file except the header or the plugin ID, enable, type, and source parameters.

For example, you might change the file location or an existing rule in a plugin file. If you want to add a new rule to a plugin, you can modify the regex parameter and assign matches to the affected event fields. You can change event field mapping and also use custom functions.

Typical customization include but is not limited to