Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Data Transports
Supported Logs
1Password Logs
Apache Logs
Asana Logs
Atlassian Logs
AWS Logs
Box Logs
Cisco Umbrella Logs
Cloudflare Logs
CrowdStrike Logs
Dropbox Logs
Duo Security Logs
Fastly Logs
Fluentd Logs
GCP Logs
Github Logs
GitLab Logs
G Suite Logs
JAMF Pro Logs
Juniper Logs
Lacework Logs
Microsoft 365 Logs
Microsoft Graph Logs (Beta)
Nginx Logs
Okta Logs
OneLogin Logs
Osquery Logs
OSSEC Logs
Salesforce Logs
Sophos Logs
Slack Logs
Snyk Logs
Suricata Logs
Syslog Logs
Teleport Logs
Zeek Logs
Zoom Logs
Zendesk Logs
Custom Logs
Monitoring Log Sources
Writing Detections
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
OSSEC Logs
Connecting OSSEC logs to your Panther Console

Overview

Panther supports ingesting OSSE logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard OSSEC logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure OSSEC to push logs to the Data Transport source.
    • See OSSEC's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in the table are in bold.

OSSEC.EventInfo

OSSEC EventInfo alert parser. JSON output is supported.
Column
Type
Description
id
string
Unique id of the event.
rule
{ "comment":string, "group":string, "level":bigint, "sidid":bigint, "CIS":[string], "cve":string, "firedtimes":bigint, "frequency":bigint, "groups":[string], "info":string, "PCI_DSS":[string] }
Information about the rule that created the event.
TimeStamp
timestamp
Timestamp in UTC.
location
string
Source of the event (filename, command, etc).
hostname
string
Hostname of the host that created the event.
full_log
string
The full captured log of the event.
action
string
The event action (drop, deny, accept, etc).
agentip
string
The IP address of an agent extracted from the hostname.
agent_name
string
The name of an agent extracted from the hostname.
command
string
The command extracted by the decoder.
data
string
Additional data extracted by the decoder. For example a filename.
decoder
string
The name of the decoder used to parse the logs.
decoder_desc
{ "accumulate":bigint, "fts":bigint, "ftscomment":string, "name":string, "parent":string }
Information about the decoder used to parse the logs.
decoder_parent
string
In the case of a nested decoder, the name of it's parent.
dstgeoip
string
GeoIP location information about the destination IP address.
dstip
string
The destination IP address.
dstport
string
The destination port.
dstuser
string
The destination (target) username.
logfile
string
The source log file that was decoded to generate the event.
Previous
Osquery Logs
Next
Salesforce Logs
Last modified 22d ago
Copy link
Outline
Overview
How to onboard OSSEC logs to Panther
Supported log types
OSSEC.EventInfo