On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva <yana.za...@wazuh.com> wrote:
>
> Hi Kyriakos,
>
> Sorry for the late response. There default JSON decoder that OSSEC uses
> (which you can find the path /var/ossec/ruleset/decoders/
> 0006-json_decoders.xml) should parse all the information present in a log.
> For example, using the tool ossec-logtest which you can find in
> /var/ossec/bin/ossec-logtest, and with the log:
>
This appears to be information about wazuh, not OSSEC.
> {"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}
>
> we would achieve the following result, where we can see that all the fields
> were correctly parsed:
>
> **Phase 1: Completed pre-decoding.
> full event: '{"header": {"name": "EcoScope Data","well":
> "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
> Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
> timestamp: '(null)'
> hostname: 'default'
> program_name: '(null)'
> log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}'
>
> **Phase 2: Completed decoding.
> decoder: 'json'
> header.name: 'EcoScope Data'
> header.well: '35/12-6S'
> header.field: 'Fram'
> header.date: '2020-06-14'
> header.operator: 'Logtek Petroleum'
> header.startIndex: '2907.790000'
> header.endIndex: '2907.840000'
> header.step: '0.010000'
>
> You can also find the JSON decoder in this link:
> https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
>
> I will also leave you some information about customizing rules and decoders
> for further insight:
> https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
>
> Hope I was helpful. Do not hesitate to contact us if you have any doubt.
>
> Yana.
>
> On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis wrote:
>>
>> Hello everyone!
>>
>> I was trying to find all the possible fields that can exist in a JSON log
>> entry that OSSEC produces.
>>
>> I know that by using decoders, you can add your own fields and extend the
>> possible fields that OSSEC adds by itself.
>>
>> I'm referring to all the possible fields that can be produced exclusively by
>> OSSEC's engine.
>>
>> Does anyone have any particular documentation or something close to that?
>>
>> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMppM3%2BfYttQbtwzEE%3D%3DQkTGvrJqL41JFWwPFavq3oYLeA%40mail.gmail.com.
