Hi, here is an example of an Auditd rule that makes use of a dynamic field named "audit.type".
<!-- type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1 old_enforcing=0 auid=0 ses=2 --> <rule id="80731" level="10"> <if_sid>80700</if_sid> <field name="audit.type">MAC_STATUS</field> <description>Auditd: SELinux mode (enforcing, permissive, off) is changed</description> <group>audit_selinux,pci_dss_10.6.1,</group> </rule> This name of this field is defined in the decoder xml file, and values are assigned using regular expressions. See here an example of a decoder using dynamic fields. https://github.com/wazuh/wazuh/blob/master/etc/decoders/0040-auditd_decoders.xml#L120 I believe the best thing of this implementation is that it allows you to use as many fields as you need (limit is set in the internal_options.conf file), name those fields however you want, and see the fields printed in the alerts output in JSON format. See below an example of an alert: "agent": { "id": "003", "ip": "10.0.0.121", "name": "vpc-agent-debian" }, "audit": { "auid": "0", "enforcing": "1", "id": "406", "old_enforcing": "0", "session": "2", "type": "MAC_STATUS" }, "decoder": { "name": "auditd", "parent": "auditd" }, "full_log": "type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1 old_enforcing=0 auid=0 ses=2", "location": "/var/log/audit/audit.log", "manager": { "name": "vpc-ossec-manager" }, "rule": { "description": "Auditd: SELinux mode (enforcing, permissive, off) is changed", "firedtimes": 1, "groups": [ "audit", "audit_selinux" ], "id": 80731, "level": 10, "pci_dss": [ "10.6.1" ] }, "timestamp": "2017-02-01T17:33:29-0800" Regarding Wazuh differences with OSSEC, the Wazuh team is working on updating the documentation to explain those better (and on a new release and installers). Wazuh new version (2.0, currently found under the master branch) highlights are: - OpenSCAP integrated as part of the agent, allowing users to run OVAL checks. - New WUI on top of Kibana 5, and integrated with the RESTful API to monitor configuration of the manager, rules and status of the agents. - Improved log analysis and FIM capabilities. - Ruleset with compliance mapping. - Agent-manager communications over TCP supported. - A modules manager that will allow future integration of other tools (in the roadmap is OSquery and Threat Intelligence sources) Complete changelog can be found here: https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md If you are curious, here are some screenshots of the WUI. https://github.com/wazuh/wazuh-documentation/blob/new_template/source/index.rst As well it is worth mentioning that Wazuh project, as a fork, is based on the work done by OSSEC developers and contributors to which we are thankful. Wazuh plans to continue contributing to OSSEC Github repository with bug fixes, but we also have our own roadmap so, most likely, both projects will evolve in different ways. Please, for future Wazuh related questions use our mailing list at: wazuh+subscr...@googlegroups.com Santiago. On Wednesday, February 1, 2017 at 5:59:23 AM UTC-8, secuc...@free.fr wrote: > > where i can find information on the dynamic fields ? > thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.