UpPrevious Next
Sheriff CSMâ„¢
Enable Plugins
Sheriff provides more than one way to enable plugins in Sheriff CSM. First, you can enable plugins on specific discovered assets, or you can enable plugins globally on Sheriff CSM Sensors (Deputies). In addition, based on the specific plugin, you can enable plugins using different tools, including the Sheriff CSM web UI, the Getting Started Wizard, or the Sheriff console.
The following topics provide more information about the two choices available for enabling plugins. Also, how to verify that an enabled plugin is working properly.
Important: Be careful not to enable the same plugin twice, because this will generate duplicate events.
Below is a list of plugins that can only be enabled at the Sensor level
| Plugin Name | Description |
| av-useractivity | A MySQL database plugin. |
| drupal-wiki | A MySQL database plugin. |
| eljefe | A MySQL database plugin. |
| linuxdhcp-idm | An IDM plugin for Linux DHCP server. |
| monit | Plugin for the monit service used in Sheriff CSM. |
| moodle | A MySQL database plugin. |
| ossec-idm-single-line | An IDM plugin for Sheriff HIDS. |
| ossec-single-line | Also known as the Sheriff HIDS plugin. Enabled by default. |
| post_correlation | A MySQL database plugin. |
| prads | An IDM plugin for passive asset discovery. Enabled by default. |
| ssh-remote | A plugin for OpenSSH. |
| suricata | Also known as the Sheriff NIDS plugin. Enabled by default. |
For those plugins that allow it, enabling plugins on specific assets is generally recommended over enabling plugins on the Sheriff CSM Sensor. Plugins enabled at the asset level are automatically configured, whereas plugins enabled at the Sensor level must often be configured first. For log-based plugins, this means setting up rsyslog collection and processing, and log rotation. (See Configure the Sheriff CSM Sensor to Receive Logs Through Syslog.)
Convenience and performance may also be factors in choosing whether to enable plugins on individual assets, or to enable them on the Sheriff CSM Sensor. Enabling plugins on individual assets can help distribute the load of handling heavy traffic by running copies of the plugin on multiple processors or cores, rather than on a single one. However, if you want to use the same plugin with a large number of assets, and volume of traffic is not an issue, you may find it easier to enable and configure the plugin on the Sensor.
Note: In addition to enabling the plugin, you must also configured the application or device that the plugin is intended for to forward its log to Sheriff CSM. For your convenience, Sheriff has composed a list of most commonly used devices and how to configure log forwarding on them. See Configure Log Forwarding on Commonly Used Data Sources.