Hi Kyriakos, Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path */var/ossec/ruleset/decoders/* *0006-json_decoders.xml) *should parse all the information present in a log. For example, using the tool *ossec-logtest* which you can find in */var/ossec/bin/ossec-logtest*, and with the log:
*{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}* we would achieve the following result, where we can see that all the fields were correctly parsed: ***Phase 1: Completed pre-decoding.* * full event: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'* * timestamp: '(null)'* * hostname: 'default'* * program_name: '(null)'* * log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'* ***Phase 2: Completed decoding.* * decoder: 'json'* * header.name: 'EcoScope Data'* * header.well: '35/12-6S'* * header.field: 'Fram'* * header.date: '2020-06-14'* * header.operator: 'Logtek Petroleum'* * header.startIndex: '2907.790000'* * header.endIndex: '2907.840000'* * header.step: '0.010000'* You can also find the JSON decoder in this link: https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml I will also leave you some information about customizing rules and decoders for further insight: https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html Hope I was helpful. Do not hesitate to contact us if you have any doubt. Yana. On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis wrote: > Hello everyone! > > I was trying to find all the possible fields that can exist in a JSON log > entry that OSSEC produces. > > I know that by using decoders, you can add your own fields and extend the > possible fields that OSSEC adds by itself. > > I'm referring to all the possible fields that can be produced exclusively > by OSSEC's engine. > > Does anyone have any particular documentation or something close to that? > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.