Re: [ossec-list] Re: OSSEC JSON complete log format
Hi Dan,
Sure, it is from Wazuh but as an OSSEC based platform, OSSEC users can use
the rules and decoders that have been developed for Wazuh too. In a
nutshell, the decoders and rules that are by default in Wazuh but are not
in OSSEC can be used in this tool too. The documentation regarding
customizing already existing rules or decoders and adding new ones can be
of use too.
Regards,
Yana.
On Monday, December 28, 2020 at 3:40:04 PM UTC+1 dan (ddpbsd) wrote:
> On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva wrote:
> >
> > Hi Kyriakos,
> >
> > Sorry for the late response. There default JSON decoder that OSSEC uses
> (which you can find the path /var/ossec/ruleset/decoders/
> 0006-json_decoders.xml) should parse all the information present in a log.
> For example, using the tool ossec-logtest which you can find in
> /var/ossec/bin/ossec-logtest, and with the log:
> >
>
> This appears to be information about wazuh, not OSSEC.
>
> > {"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}
> >
> > we would achieve the following result, where we can see that all the
> fields were correctly parsed:
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '{"header": {"name": "EcoScope Data","well":
> "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
> Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
> > timestamp: '(null)'
> > hostname: 'default'
> > program_name: '(null)'
> > log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'json'
> > header.name: 'EcoScope Data'
> > header.well: '35/12-6S'
> > header.field: 'Fram'
> > header.date: '2020-06-14'
> > header.operator: 'Logtek Petroleum'
> > header.startIndex: '2907.79'
> > header.endIndex: '2907.84'
> > header.step: '0.01'
> >
> > You can also find the JSON decoder in this link:
> https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
> >
> > I will also leave you some information about customizing rules and
> decoders for further insight:
> https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
> >
> > Hope I was helpful. Do not hesitate to contact us if you have any doubt.
> >
> > Yana.
> >
> > On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis
> wrote:
> >>
> >> Hello everyone!
> >>
> >> I was trying to find all the possible fields that can exist in a JSON
> log entry that OSSEC produces.
> >>
> >> I know that by using decoders, you can add your own fields and extend
> the possible fields that OSSEC adds by itself.
> >>
> >> I'm referring to all the possible fields that can be produced
> exclusively by OSSEC's engine.
> >>
> >> Does anyone have any particular documentation or something close to
> that?
> >>
> >> Thanks!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com
> .
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/2ff72668-034a-418d-bd7d-b0c146d79616n%40googlegroups.com.
Re: [ossec-list] Re: OSSEC JSON complete log format
On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva wrote:
>
> Hi Kyriakos,
>
> Sorry for the late response. There default JSON decoder that OSSEC uses
> (which you can find the path /var/ossec/ruleset/decoders/
> 0006-json_decoders.xml) should parse all the information present in a log.
> For example, using the tool ossec-logtest which you can find in
> /var/ossec/bin/ossec-logtest, and with the log:
>
This appears to be information about wazuh, not OSSEC.
> {"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}
>
> we would achieve the following result, where we can see that all the fields
> were correctly parsed:
>
> **Phase 1: Completed pre-decoding.
>full event: '{"header": {"name": "EcoScope Data","well":
> "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
> Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
>timestamp: '(null)'
>hostname: 'default'
>program_name: '(null)'
>log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field":
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
> 2907.79,"endIndex": 2907.84,"step": 0.01}}'
>
> **Phase 2: Completed decoding.
>decoder: 'json'
>header.name: 'EcoScope Data'
>header.well: '35/12-6S'
>header.field: 'Fram'
>header.date: '2020-06-14'
>header.operator: 'Logtek Petroleum'
>header.startIndex: '2907.79'
>header.endIndex: '2907.84'
>header.step: '0.01'
>
> You can also find the JSON decoder in this link:
> https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
>
> I will also leave you some information about customizing rules and decoders
> for further insight:
> https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
>
> Hope I was helpful. Do not hesitate to contact us if you have any doubt.
>
> Yana.
>
> On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis wrote:
>>
>> Hello everyone!
>>
>> I was trying to find all the possible fields that can exist in a JSON log
>> entry that OSSEC produces.
>>
>> I know that by using decoders, you can add your own fields and extend the
>> possible fields that OSSEC adds by itself.
>>
>> I'm referring to all the possible fields that can be produced exclusively by
>> OSSEC's engine.
>>
>> Does anyone have any particular documentation or something close to that?
>>
>> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMppM3%2BfYttQbtwzEE%3D%3DQkTGvrJqL41JFWwPFavq3oYLeA%40mail.gmail.com.
[ossec-list] Re: OSSEC JSON complete log format
Hi Kyriakos,
Sorry for the late response. There default JSON decoder that OSSEC uses
(which you can find the path */var/ossec/ruleset/decoders/*
*0006-json_decoders.xml)
*should parse all the information present in a log. For example, using the
tool *ossec-logtest* which you can find in */var/ossec/bin/ossec-logtest*,
and with the log:
*{"header": {"name": "EcoScope Data","well": "35/12-6S","field":
"Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
2907.79,"endIndex": 2907.84,"step": 0.01}}*
we would achieve the following result, where we can see that all the fields
were correctly parsed:
***Phase 1: Completed pre-decoding.*
* full event: '{"header": {"name": "EcoScope Data","well":
"35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'*
* timestamp: '(null)'*
* hostname: 'default'*
* program_name: '(null)'*
* log: '{"header": {"name": "EcoScope Data","well":
"35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'*
***Phase 2: Completed decoding.*
* decoder: 'json'*
* header.name: 'EcoScope Data'*
* header.well: '35/12-6S'*
* header.field: 'Fram'*
* header.date: '2020-06-14'*
* header.operator: 'Logtek Petroleum'*
* header.startIndex: '2907.79'*
* header.endIndex: '2907.84'*
* header.step: '0.01'*
You can also find the JSON decoder in this link:
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
I will also leave you some information about customizing rules and decoders
for further insight:
https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
Hope I was helpful. Do not hesitate to contact us if you have any doubt.
Yana.
On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis
wrote:
> Hello everyone!
>
> I was trying to find all the possible fields that can exist in a JSON log
> entry that OSSEC produces.
>
> I know that by using decoders, you can add your own fields and extend the
> possible fields that OSSEC adds by itself.
>
> I'm referring to all the possible fields that can be produced exclusively
> by OSSEC's engine.
>
> Does anyone have any particular documentation or something close to that?
>
> Thanks!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.
