Select the Configuration > Deployment option from the Sheriff CSM web UI.
Select the Plugin Builder tab. The Sheriff CSM web UI displays a list of any custom plugins previously created with the Plugin Builder.
Note: The Plugin Builder display only shows new plugins created using the Plugin Builder. It does not show any other custom plugins that may have been created or customized outside of the Plugin Builder. However, you can locate those plugins by viewing the contents of the Sheriff CSM plugin configuration folder: /etc/vigilante/agent/plugins.
You can also view and enable the custom plugins by establishing an SSH connection to the Sheriff Console and selecting the Configure Sensor (Deputy) > Configure data source plugin option from the Sheriff Setup menu.
Click the Add New Plugin button.
The Sheriff CSM web UI displays the first step of the Plugin Builder wizard. You are prompted to select a sample log file the Plugin Builder will use to identify data that can be normalized into Sheriff CSM event fields.
Click the Browse button to navigate to the location of the sample log file you want to use to identify possible event field mapping.
After you choose a log file, the Plugin Builder determines whether it can upload the file for event field mapping and displays a green checkmark if successful.
Click Next.
The Plugin Builder advances to step 2 in which you are prompted to enter information about the source of the log file.
Note: Vendor and Model entries may not contain spaces or special characters. Only the plugin ID is included in the plugin configuration filename. Vendor, model, and version information is included into the plugin file header.
For the Product Type field, select the product type from options displayed in the popup list. (The categories list match the Sheriff CSM SIEM taxonomy. When you have finished the Plugin Properties entries, click Next.
The Plugin Builder now displays the initial mapping of log file entries to Sheriff CSM event fields for specific named event rules.
The top portion of the display shows data contained in the sample log file you submitted and the bottom portion displays corresponding event field mapping that the Plugin Builder identified for one or more named event rules.
Click the Edit () button.
The Plugin Builder displays a set of fields in which you can edit the name, category (and subcategory) that will be used in Sheriff CSM when events matching specific rules will be generated by the plugin.
In the area below the event property fields, the Edit Tokens section lets you edit or update data tokens assigned or mapped to Sheriff CSM event fields. You can also map additional unassigned data patterned after the log data and assign those data tokens to new event fields.
You can use the sliding bar at the bottom of the display to adjust the beginning and ending points of data tokens taken from the sample log file that are mapped to event fields.
Click the Return () link after revising or adding any additional log data you want to map to event fields.
Click Save & Close and then click Next.
Click the Finish button to complete creation of the new plugin.
When you click the Finish button, the Plugin builder creates both the configuration (.cfg) file and the .sql file for the new plugin.
After creating the new plugin, the Sheriff CSM Plugin Builder wizard returns to the main custom plugins display page where it shows the new plugin you just created.
/etc/sheriff/plugins/custom
folder.) You can also delete the existing plugin from the Plugin Builder's tabular list view, delete an existing plugin, and then start over to make a new plugin using the Plugin Builder wizard.
.sql
file is automatically applied to the Sheriff CSM Server database. There is no need to copy and run the plugin .sql
on external sensors, because they do not have a separate database.
Note: Export or manual copying of plugin .cfg
configuration and .sql files is only necessary if you want to deploy a new custom plugin to other Sheriff CSM installations deployed in your environment. Exporting a new custom plugin only exports the plugin .cfg
configuration file. So, you will still need to manually download the plugin .sql
file and apply it to the databases associated with any other Sheriff CSM Server installations you have deployed in your environment.