AlienVault® USM Appliance™

Configuring Database Plugins

Database plugins extract data from an external database and turn them
into USM Appliance events. Supported databases are MySQL and Microsoft SQL
Server. The database plugin configuration file provides information on how USM
Appliance should connect to and query the database.

Note: You can receive event data from more than one database by configuring and
enabling multiple database plugins (one database per plugin).
Sample Database Plugin Configuration File
Following sections included here describe the operation of various sections of the
sample plugin configuration file.

How to Connect to the Database

In the database plugin configuration file example, the section that starts
with [config] tells USM Appliance how to connect to the database (in this case,
MySQL). This consists of the following parameters.
[config]
type=detector
source=database
source_type=<database_type>
source_ip=<database_IP>
source_port=<database_port>
user=<username>
password=<user_password>
db=<database_name>

How to Create a Start Query for the Microsoft SQL Server Database
The following code example initiates a query for the Microsoft SQL Server database.
[start_query]
query="SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC"

How to Fetch Events From the Database

USM Appliance queries the database for events as soon as a database plugin is
loaded and, thereafter, every few seconds.

The duration between queries depends on the setting of each plugin's configuration
file, which reads the value of sleep in the file. Default settings may range from two to
60 seconds and are user-configurable. For information about customizing existing or
developing new plugins, see Customizing and Developing New Plugins and its related
topics.

This query starts with query and also references the "start query" code line, shown
in boldface type in the following example.
[query]
query="SELECT AutoID, CONVERT(nvarchar(40), AutoGUID), ServerID,
DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName,
ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM
EPOEvents where AutoID > $1 ORDER BY AutoID"
regexp=
Important: You must leave the regexp field empty (shown below the query), because
database plugins use it in operation.

About the Fields with $

Fields containing $ correspond to fields in the database query. For example:

$0 First element in the query (AutoID).

$1 Second element in the query (AutoGUID)

$2 Third element in the query (ServerID)

... """"
username={$6}
userdata1=GUID {$2}
userdata2=ServerID {$2}
userdata3=Severity {$10}
userdata4={$9}
userdata5={$11}
userdata6={$1}

External Database Configuration

This task enables communication with the external database from which the plugin
receives data. You will need command line access to USM Appliance to complete this
task.

Important: You need to repeat this task for every external database you want to
receive data from.
To configure communication with an external database

1. Create the file /etc/ossim/agent/plugins/<database-plugin>.cfg.local.

2. In the .local file, add the fields shown below .

Use the table provided for definitions:

[config]
source_ip=
source_port=
user=
password=
db=
sleep=
 Editable field descriptions for the database plugin configuration file

Field Description

source_ip Fully qualified domain name, hostname, or IP address.

source_port Port number of the external database.

user Name of the user with access to the database.

password Password for user with access to the database.

db Machine name of the external database.

sleep Duration, in seconds, between plugin queries to the database.

Referencia: https://www.alienvault.com/documentation/usm-appliance/plugin-
management/configuring-database-plugins.htm