Hi Kyriakos,
Sorry for the late response. There default JSON decoder that OSSEC uses
(which you can find the path */var/ossec/ruleset/decoders/*
*0006-json_decoders.xml)
*should parse all the information present in a log. For example, using the
tool *ossec-logtest* which you can find in */var/ossec/bin/ossec-logtest*,
and with the log:
*{"header": {"name": "EcoScope Data","well": "35/12-6S","field":
"Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex":
2907.79,"endIndex": 2907.84,"step": 0.01}}*
we would achieve the following result, where we can see that all the fields
were correctly parsed:
***Phase 1: Completed pre-decoding.*
* full event: '{"header": {"name": "EcoScope Data","well":
"35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'*
* timestamp: '(null)'*
* hostname: 'default'*
* program_name: '(null)'*
* log: '{"header": {"name": "EcoScope Data","well":
"35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek
Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'*
***Phase 2: Completed decoding.*
* decoder: 'json'*
* header.name: 'EcoScope Data'*
* header.well: '35/12-6S'*
* header.field: 'Fram'*
* header.date: '2020-06-14'*
* header.operator: 'Logtek Petroleum'*
* header.startIndex: '2907.790000'*
* header.endIndex: '2907.840000'*
* header.step: '0.010000'*
You can also find the JSON decoder in this link:
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
I will also leave you some information about customizing rules and decoders
for further insight:
https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
Hope I was helpful. Do not hesitate to contact us if you have any doubt.
Yana.
On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis
wrote:
> Hello everyone!
>
> I was trying to find all the possible fields that can exist in a JSON log
> entry that OSSEC produces.
>
> I know that by using decoders, you can add your own fields and extend the
> possible fields that OSSEC adds by itself.
>
> I'm referring to all the possible fields that can be produced exclusively
> by OSSEC's engine.
>
> Does anyone have any particular documentation or something close to that?
>
> Thanks!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.
