Вы находитесь на странице: 1из 3

AlienVault ® USM Appliance™

Configuring Database Plugins

Database plugins extract data from an external database and turn them into USM Appliance events. Supported databases are MySQL and Microsoft SQL Server. The database plugin configuration file provides information on how USM Appliance should connect to and query the database.

Note: You can receive event data from more than one database by configuring and enabling multiple database plugins (one database per plugin).

multiple database plugins (one database per plugin). Sample Database Plugin Configuration File Following sections

Following sections included here describe the operation of various sections of the sample plugin configuration file.

How to Connect to the Database

In the database plugin configuration file example, the section that starts with [config] tells USM Appliance how to connect to the database (in this case, MySQL). This consists of the following parameters.

[config] type=detector source=database source_type=< database_type > source_ip=< database_IP > source_port=< database_port > user=< username > password=< user_password > db=< database_name >

How to Create a Start Query for the Microsoft SQL Server Database

The following code example initiates a query for the Microsoft SQL Server database.

[start_query] query="SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC"

How to Fetch Events From the Database

USM Appliance queries the database for events as soon as a database plugin is loaded and, thereafter, every few seconds.

The duration between queries depends on the setting of each plugin's configuration file, which reads the value of sleep in the file. Default settings may range from two to 60 seconds and are user-configurable. For information about customizing existing or developing new plugins, see Customizing and Developing New Plugins and its related topics.

This query starts with query and also references the "start query" code line, shown in boldface type in the following example.

[query] query="SELECT AutoID, CONVERT(nvarchar(40), AutoGUID), ServerID, DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName, ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM EPOEvents where AutoID > $1 ORDER BY AutoID" regexp=

Important: You must leave the regexp field empty (shown below the query), because database plugins use it in operation.

About the Fields with $

Fields containing $ correspond to fields in the database query. For example:

$0

First element in the query (AutoID).

$1

Second element in the query (AutoGUID)

$2

Third element in the query (ServerID)

""""

username={$6}

userdata1=GUID {$2} userdata2=ServerID {$2} userdata3=Severity {$10}

userdata4={$9}

userdata5={$11}

userdata6={$1}

External Database Configuration

This task enables communication with the external database from which the plugin receives data. You will need command line access to USM Appliance to complete this task.

Important: You need to repeat this task for every external database you want to receive data from.

To configure communication with an external database

1. Create the file /etc/ossim/agent/plugins/<database-plugin>.cfg.local.

2. In the .local file, add the fields shown below .

Use the table provided for definitions:

[config]

source_ip=

source_port=

user=

password=

db=

sleep=

Editable field descriptions for the database plugin configuration file

Field

Description

source_ip

Fully qualified domain name, hostname, or IP address.

source_port

Port number of the external database.

user

Name of the user with access to the database.

password

Password for user with access to the database.

db

Machine name of the external database.

sleep

Duration, in seconds, between plugin queries to the database.

Referencia: https://www.alienvault.com/documentation/usm-appliance/plugin- management/configuring-database-plugins.htm