Supported services

All the services except Inspector Classic and CloudWatch Logs get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector Classic and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively.

New in version 4.4.2.

The <subscriber type='TYPE'> </subscriber> tags are added in order to obtain logs from Amazon Security Lake buckets.

The next table contains the most relevant information about configuring each service in the ossec.conf file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:

Provider	Service	Configuration tag	Type	Path to logs
Amazon	CloudTrail	bucket	cloudtrail	<bucket_name>/<prefix>/AWSLogs/<suffix>/<organization_id>/<account_id>/CloudTrail/<region>/<year>/<month>/<day>
Amazon	VPC	bucket	vpcflow	<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>
Amazon	Config	bucket	config	<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/Config/<region>/<year>/<month>/<day>
Amazon	ALB	bucket	alb	<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>
Amazon	CLB	bucket	clb	<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>
Amazon	NLB	bucket	nlb	<bucket_name>/<prefix>/AWSLogs/<account_id>/elasticloadbalancing/<region>/<year>/<month>/<day>
Amazon	KMS	bucket	custom	<bucket_name>/<prefix>/<year>/<month>/<day>
Amazon	Macie	bucket	custom	<bucket_name>/<prefix>/<year>/<month>/<day>
Amazon	Trusted Advisor	bucket	custom	<bucket_name>/<prefix>/<year>/<month>/<day>
Amazon	GuardDuty Native	bucket	guardduty	<bucket_name>/<prefix>/AWSLogs/<suffix>/<account_id>/GuardDuty/<region>/<year>/<month>/<day>
Amazon	GuardDuty Firehose	bucket	guardduty	<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon	WAF	bucket	waf	<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon	S3 Server Access logs	bucket	server_access	<bucket_name>/<prefix>
Amazon	Inspector Classic	service	inspector
Amazon	CloudWatch Logs	service	cloudwatchlogs
Amazon	Amazon ECR Image scanning	service	cloudwatchlogs
Amazon	Amazon Security Lake	subscriber	security_lake
Amazon	Custom Logs Buckets	subscriber	buckets
Cisco	Umbrella	bucket	cisco_umbrella	<bucket_name>/<prefix>/<year>-<month>-<day>