I was looking at doing this as well. The main thing holding me back is the limited fields that can be extracted. My current understanding is that osecc decoder's field extraction is limited to the following fields:
location - where the log came from (only on FTS) srcuser - extracts the source username dstuser - extracts the destination (target) username user - an alias to dstuser (only one of the two can be used) srcip - source ip dstip - dst ip srcport - source port dstport - destination port protocol - protocol id - event id url - url of the event action - event action (deny, drop, accept, etc) status - event status (success, failure, etc) extra_data - Any extra data (from https://github.com/ossec/ossec-rules/blob/master/etc/decoder.xml) Is my understanding correct? How do you intend to overcome this limitation? I mean, the opportunities for detection, if osquery and ossec were combined, are incredible, so I would love to take a stab at it. On Thursday, February 28, 2019 at 10:23:40 AM UTC-5, [email protected] wrote: > > Actually, there is a solution for this, but it is a separate package that > has to be installed and configured. It is called OSQUERY and can be found > here: > > https://osquery.io/ > > OSQUERY is open source under the Apache license. Like OSSEC, it runs on > almost every platform. It can provide a HUGE amount of information about > the client system. It was developed by Facebook as an asset management > subsystem and uses its own structured query language for pulling data from > clients. There are several third-party modules that have been developed for > it as well, including an installer and auto-updater (Kolide launcher). The > Kolide tool for auto-updating might be a good model for building a tool to > auto-update OSSEC someday too. > > We have been looking at integrating OSQUERY with OSSEC for a while. The > easiest way to do this would be to build a separate encrypted communication > channel between the OSSEC server and OSQUERY. I will submit a pull request > if we work all the details out for full integration. We are working on a > PCI DSS compliant port monitoring tool for OSSEC right now that we will > submit on a separate pull request when it is done. If anyone is interested, > I will be at the OSSEC conference on Mach 20th. Best, > > Dave Stoddard > Network Alarm Corporation > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
