Importing configuration files to AlienVault USM / OSSIM
April 11, 2024
ID 183920
This section describes how to configure AlienVault USM / OSSIM for treating Kaspersky CyberTrace as an event source. To configure AlienVault USM / OSSIM for this purpose, make sure to perform the following procedure on the computer on which AlienVault USM / OSSIM runs.
To configure AlienVault USM / OSSIM for receiving events from Kaspersky CyberTrace:
- Copy the following configuration files to their target directories:
- Copy kaspersky_cyberTrace.cfg to the
/etc/ossim/agent/plugins/
directory. - Copy kaspersky_cyberTrace.sql to the
/usr/share/doc/ossim-mysql/contrib/plugins/
directory.
The kaspersky_cyberTrace.cfg and kaspersky_cyberTrace.sql files are shipped together with this Help documentation or are received from your technical account manager (TAM).
- Copy kaspersky_cyberTrace.cfg to the
- Add the following line to the
plugins
section of the/etc/ossim/agent/config.cfg
file:kaspersky_cyberTrace =/etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg
- Add the following rule to the
/etc/rsyslog.conf
file:if ($fromhost-ip == '%CyberTrace_IP_OUT%') then -/var/log/kaspersky_cyberTrace.log
Here
%CyberTrace_IP_OUT%
is the IP address of the computer from which Kaspersky CyberTrace sends events.It is recommended to add this line before the rules that are added when configuring AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace.
- Run the following command:
cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db
This command adds information about Kaspersky CyberTrace to the AlienVault database.
- Run the following commands:
/etc/init.d/ossim-agent restart
/etc/init.d/ossim-server restart
With this command, AlienVault USM / OSSIM applies the settings specified in the kaspersky_cyberTrace.cfg configuration file. This file contains the rules that AlienVault USM / OSSIM uses for parsing events from Kaspersky CyberTrace.
- Restart the rsyslog service by running the following command:
/etc/init.d/rsyslog restart
- Configure the
logrotate
utility to archive Kaspersky CyberTrace events on the computer on which AlienVault USM / OSSIM runs:- Create the
kaspersky_cybertrace
file in the/etc/logrotate.d
directory. - In the
kaspersky_cybertrace
file, specify the following lines:/var/log/kaspersky_cyberTrace.log
{
# save 3 months of logs
rotate 3
monthly
missingok
notifempty
compress
delaycompress
sharedscripts
# run a script after log rotation
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
- Save and close the
kaspersky_cybertrace
file.
If you want to save logs for another period, see the logrotate documentation to configure the
kaspersky_cybertrace
file. - Create the
After you perform this procedure, Kaspersky CyberTrace device will be added to AlienVault USM / OSSIM.
The rsyslog service will store events from Kaspersky CyberTrace in the /var/log/kaspersky_cyberTrace.log
file.
After you configure Kaspersky CyberTrace and AlienVault USM / OSSIM, perform the verification test. For this, send the verification test events to Kaspersky CyberTrace by using the Log Scanner utility (which is part of Kaspersky CyberTrace). The verification test events are contained in the verification/kl_verification_test.txt
file. Check the verification test result in the AlienVault USM / OSSIM web interface.
By default, every detection event, for each Kaspersky Threat Data Feed, has its own type in AlienVault. The other detection events have the Kaspersky CyberTrace - Detection event
value in the event name
field.
You can rename the detection events of the imported feeds in order to classify the detection events according to their categories.
To rename the detection events of the imported feed:
- Add the following line to the
translation
section of the/etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg
configuration file:%CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED%=%ANY_FREE_NUMERIC_VALUE%
where
%CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED%
is the value of the category attribute of the imported feed fromkl_feed_service.conf
. For example:Custom_Feed=50
. - Save and close the file.
- Add the following line before the last line of the
/usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql
file:(23021992, %NUMERIC_VALUE_SPECIFIED_AT_THE_kaspersky_cyberTrace.cfg%, 15, 71, NULL, 'Kaspersky CyberTrace - %NAME_TO_REPLACE%', 5, 8),
- Save and close the file.
- Run the following commands:
cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db
/etc/init.d/ossim-agent restart
/etc/init.d/ossim-server restart