On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva <yana.za...@wazuh.com> wrote: > > Hi Kyriakos, > > Sorry for the late response. There default JSON decoder that OSSEC uses > (which you can find the path /var/ossec/ruleset/decoders/ > 0006-json_decoders.xml) should parse all the information present in a log. > For example, using the tool ossec-logtest which you can find in > /var/ossec/bin/ossec-logtest, and with the log: >
This appears to be information about wazuh, not OSSEC. > {"header": {"name": "EcoScope Data","well": "35/12-6S","field": > "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": > 2907.79,"endIndex": 2907.84,"step": 0.01}} > > we would achieve the following result, where we can see that all the fields > were correctly parsed: > > **Phase 1: Completed pre-decoding. > full event: '{"header": {"name": "EcoScope Data","well": > "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek > Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}' > timestamp: '(null)' > hostname: 'default' > program_name: '(null)' > log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": > "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": > 2907.79,"endIndex": 2907.84,"step": 0.01}}' > > **Phase 2: Completed decoding. > decoder: 'json' > header.name: 'EcoScope Data' > header.well: '35/12-6S' > header.field: 'Fram' > header.date: '2020-06-14' > header.operator: 'Logtek Petroleum' > header.startIndex: '2907.790000' > header.endIndex: '2907.840000' > header.step: '0.010000' > > You can also find the JSON decoder in this link: > https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml > > I will also leave you some information about customizing rules and decoders > for further insight: > https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html > > Hope I was helpful. Do not hesitate to contact us if you have any doubt. > > Yana. > > On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis wrote: >> >> Hello everyone! >> >> I was trying to find all the possible fields that can exist in a JSON log >> entry that OSSEC produces. >> >> I know that by using decoders, you can add your own fields and extend the >> possible fields that OSSEC adds by itself. >> >> I'm referring to all the possible fields that can be produced exclusively by >> OSSEC's engine. >> >> Does anyone have any particular documentation or something close to that? >> >> Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMppM3%2BfYttQbtwzEE%3D%3DQkTGvrJqL41JFWwPFavq3oYLeA%40mail.gmail.com.