OSSEC JSON complete log format
144 views
Skip to first unread message
Kyriakos Stavridis
Sep 30, 2020, 3:13:36 PM9/30/20
to ossec-list
Hello everyone!
I was trying to find all the possible fields that can exist in a JSON log entry that OSSEC produces.
I know that by using decoders, you can add your own fields and extend the possible fields that OSSEC adds by itself.
I'm referring to all the possible fields that can be produced exclusively by OSSEC's engine.
Does anyone have any particular documentation or something close to that?
Thanks!
Yana Zaeva
Dec 28, 2020, 9:31:19 AM12/28/20
to ossec-list
Hi Kyriakos,
Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path /var/ossec/ruleset/decoders/
0006-json_decoders.xml) should parse all the information present in a log. For example, using the tool ossec-logtest which you can find in /var/ossec/bin/ossec-logtest, and with the log:
{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}
we would achieve the following result, where we can see that all the fields were correctly parsed:
**Phase 1: Completed pre-decoding.
full event: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
timestamp: '(null)'
hostname: 'default'
program_name: '(null)'
log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
**Phase 2: Completed decoding.
decoder: 'json'
header.name: 'EcoScope Data'
header.well: '35/12-6S'
header.field: 'Fram'
header.date: '2020-06-14'
header.operator: 'Logtek Petroleum'
header.startIndex: '2907.790000'
header.endIndex: '2907.840000'
header.step: '0.010000'
You can also find the JSON decoder in this link: https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
I will also leave you some information about customizing rules and decoders for further insight: https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
Hope I was helpful. Do not hesitate to contact us if you have any doubt.
Yana.
dan (ddp)
Dec 28, 2020, 9:40:04 AM12/28/20
to ossec...@googlegroups.com
On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva <yana....@wazuh.com> wrote:
>
> Hi Kyriakos,
>
> Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path /var/ossec/ruleset/decoders/ 0006-json_decoders.xml) should parse all the information present in a log. For example, using the tool ossec-logtest which you can find in /var/ossec/bin/ossec-logtest, and with the log:
>
This appears to be information about wazuh, not OSSEC.
>
> Hi Kyriakos,
>
> Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path /var/ossec/ruleset/decoders/ 0006-json_decoders.xml) should parse all the information present in a log. For example, using the tool ossec-logtest which you can find in /var/ossec/bin/ossec-logtest, and with the log:
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.
Yana Zaeva
Dec 28, 2020, 1:01:10 PM12/28/20
to ossec-list
Hi Dan,
Sure, it is from Wazuh but as an OSSEC based platform, OSSEC users can use the rules and decoders that have been developed for Wazuh too. In a nutshell, the decoders and rules that are by default in Wazuh but are not in OSSEC can be used in this tool too. The documentation regarding customizing already existing rules or decoders and adding new ones can be of use too.
Regards,
Yana.
Reply all
Reply to author
Forward
0 new messages