OSSEC Logs
Connecting OSSEC logs to your Panther Console
Panther supports ingesting OSSEC logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
To connect these logs into Panther:
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Click Create New.
- 3.Search for the log type you want to onboard, then click its tile.
- 4.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- 5.Configure OSSEC to push logs to the Data Transport source.
- See OSSEC's documentation for instructions on pushing logs to your selected Data Transport source.
OSSEC EventInfo alert parser. JSON output is supported.
schema: OSSEC.EventInfo
description: OSSEC EventInfo alert parser. Currently only JSON output is supported.
referenceURL: https://www.ossec.net/docs/docs/formats/alerts.html
fields:
- name: id
required: true
description: Unique id of the event.
type: string
- name: rule
required: true
description: Information about the rule that created the event.
type: object
fields:
- name: comment
required: true
description: The rule description.
type: string
- name: level
required: true
description: The level of the rule (0 to 16). Alerts and responses use this value.
type: bigint
- name: sidid
required: true
description: The ID of the rule (100 to 99999).
type: bigint
- name: CIS
description: A list of Center for Internet Security (CIS) checks relevant to the rule.
type: array
element:
type: string
- name: cve
description: A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule.
type: string
- name: firedtimes
description: The number of times the rule fired.
type: bigint
- name: frequency
description: Specifies the number of times the rule must have matched before firing.
type: bigint
- name: group
description: Groups are optional tags added to alerts.
type: string
- name: groups
description: Groups are optional tags added to alerts.
type: array
element:
type: string
- name: info
description: Additional information or reference about the rule.
type: string
- name: PCI_DSS
description: A list of Payment Card Industry Data Security Standard (PCI DSS) requirements relevant to the rule.
type: array
element:
type: string
- name: TimeStamp
required: true
description: Timestamp in UTC.
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: location
required: true
description: Source of the event (filename, command, etc).
type: string
- name: hostname
required: true
description: Hostname of the host that created the event.
type: string
- name: full_log
required: true
description: The full captured log of the event.
type: string
- name: action
description: The event action (drop, deny, accept, etc).
type: string
- name: agentip
description: The IP address of an agent extracted from the hostname.
type: string
indicators:
- ip
- name: agent_name
description: The name of an agent extracted from the hostname.
type: string
- name: command
description: The command extracted by the decoder.
type: string
- name: data
description: Additional data extracted by the decoder. For example a filename.
type: string
- name: decoder
description: The name of the decoder used to parse the logs.
type: string
- name: decoder_desc
description: Information about the decoder used to parse the logs.
type: object
fields:
- name: accumulate
description: True if OSSEC tracks events over multiple log messages based on decoded id.
type: bigint
- name: fts
description: The First Time Seen option inside of analysisd.
type: bigint
- name: ftscomment
description: Unused at this time.
type: string
- name: name
description: The name of the decoder.
type: string
- name: parent
description: In the case of a nested decoder, the name of it's parent.
type: string
- name: decoder_parent
description: In the case of a nested decoder, the name of it's parent.
type: string
- name: dstgeoip
description: GeoIP location information about the destination IP address.
type: string
- name: dstip
description: The destination IP address.
type: string
indicators:
- ip
- name: dstport
description: The destination port.
type: string
- name: dstuser
description: The destination (target) username.
type: string
indicators:
- username
- name: logfile
description: The source log file that was decoded to generate the event.
type: string
- name: previous_output
description: The full captured log of the previous event.
type: string
- name: program_name
description: The executable name extracted from the log by the decoder used to match a rule.
type: string
- name: protocol
description: The protocol (ip, tcp, udp, etc) extracted by the decoder.
type: string
- name: srcgeoip
description: GeoIP location information about the source IP address.
type: string
- name: srcip
description: The source IP address.
type: string
indicators:
- ip
- name: srcport
description: The source port.
type: string
- name: srcuser
description: The source username.
type: string
indicators:
- username
- name: status
description: Event status (success, failure, etc).
type: string
- name: SyscheckFile
description: Information about a file integrity check.
type: object
fields:
- name: gowner_after
description: The group owner after modification.
type: string
- name: gowner_before
description: The group owner before modification.
type: string
- name: md5_after
description: MD5 hash of the file after modification.
type: string
indicators:
- md5
- name: md5_before
description: MD5 hash of the file before modification.
type: string
indicators:
- md5
- name: owner_after
description: The file owner after modification.
type: string
- name: owner_before
description: The file owner before modification.
type: string
- name: path
description: The path to the file.
type: string
- name: perm_after
description: The permissions of the file after modification.
type: bigint
- name: perm_before
description: The permissions of the file before modification.
type: bigint
- name: sha1_after
description: SHA1 hash of the file after modification.
type: string
indicators:
- sha1
- name: sha1_before
description: SHA1 hash of the file before modification.
type: string
indicators:
- sha1
- name: systemname
description: The system name extracted by the decoder.
type: string
- name: url
description: URL of the event.
type: string
Last modified 24d ago