Hey Wayne, Your understanding is correct however in version 3.3.x (currently available in master) there has been the addition of dynamic decoders which will allow you to create whatever key value pairs you want. Should be a new release in the coming weeks but I am not 100% on when specifically it will be.
Stay tuned! - Zack On Fri, Apr 12, 2019 at 11:42 AM Wayne Villars <[email protected]> wrote: > I was looking at doing this as well. The main thing holding me back is the > limited fields that can be extracted. My current understanding is that > osecc decoder's field extraction is limited to the following fields: > > location - where the log came from (only on FTS) > srcuser - extracts the source username > dstuser - extracts the destination (target) username > user - an alias to dstuser (only one of the two can be used) > srcip - source ip > dstip - dst ip > srcport - source port > dstport - destination port > protocol - protocol > id - event id > url - url of the event > action - event action (deny, drop, accept, etc) > status - event status (success, failure, etc) > extra_data - Any extra data > > (from https://github.com/ossec/ossec-rules/blob/master/etc/decoder.xml) > > Is my understanding correct? How do you intend to overcome this > limitation? I mean, the opportunities for detection, if osquery and ossec > were combined, are incredible, so I would love to take a stab at it. > > > On Thursday, February 28, 2019 at 10:23:40 AM UTC-5, [email protected] > wrote: >> >> Actually, there is a solution for this, but it is a separate package that >> has to be installed and configured. It is called OSQUERY and can be found >> here: >> >> https://osquery.io/ >> >> OSQUERY is open source under the Apache license. Like OSSEC, it runs on >> almost every platform. It can provide a HUGE amount of information about >> the client system. It was developed by Facebook as an asset management >> subsystem and uses its own structured query language for pulling data from >> clients. There are several third-party modules that have been developed for >> it as well, including an installer and auto-updater (Kolide launcher). The >> Kolide tool for auto-updating might be a good model for building a tool to >> auto-update OSSEC someday too. >> >> We have been looking at integrating OSQUERY with OSSEC for a while. The >> easiest way to do this would be to build a separate encrypted communication >> channel between the OSSEC server and OSQUERY. I will submit a pull request >> if we work all the details out for full integration. We are working on a >> PCI DSS compliant port monitoring tool for OSSEC right now that we will >> submit on a separate pull request when it is done. If anyone is interested, >> I will be at the OSSEC conference on Mach 20th. Best, >> >> Dave Stoddard >> Network Alarm Corporation >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
