Links

OSSEC Logs

Connecting OSSEC logs to your Panther Console

Overview

Panther supports ingesting OSSE logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard OSSEC logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure OSSEC to push logs to the Data Transport source.
    • See OSSEC's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in the table are in bold.

OSSEC.EventInfo

OSSEC EventInfo alert parser. JSON output is supported.
Column
Type
Description
id
string
Unique id of the event.
rule
{ "comment":string, "group":string, "level":bigint, "sidid":bigint, "CIS":[string], "cve":string, "firedtimes":bigint, "frequency":bigint, "groups":[string], "info":string, "PCI_DSS":[string] }
Information about the rule that created the event.
TimeStamp
timestamp
Timestamp in UTC.
location
string
Source of the event (filename, command, etc).
hostname
string
Hostname of the host that created the event.
full_log
string
The full captured log of the event.
action
string
The event action (drop, deny, accept, etc).
agentip
string
The IP address of an agent extracted from the hostname.
agent_name
string
The name of an agent extracted from the hostname.
command
string
The command extracted by the decoder.
data
string
Additional data extracted by the decoder. For example a filename.
decoder
string
The name of the decoder used to parse the logs.
decoder_desc
{ "accumulate":bigint, "fts":bigint, "ftscomment":string, "name":string, "parent":string }
Information about the decoder used to parse the logs.
decoder_parent
string
In the case of a nested decoder, the name of it's parent.
dstgeoip
string
GeoIP location information about the destination IP address.
dstip
string
The destination IP address.
dstport
string
The destination port.
dstuser
string
The destination (target) username.
logfile
string
The source log file that was decoded to generate the event.
previous_output
string
The full captured log of the previous event.
program_name
string
The executable name extracted from the log by the decoder used to match a rule.
protocol
string
The protocol (ip, tcp, udp, etc) extracted by the decoder.
srcgeoip
string
GeoIP location information about the source IP address.
srcip
string
The source IP address.
srcport
string
The source port.
srcuser
string
The source username.
status
string
Event status (success, failure, etc).
SyscheckFile
{ "gowner_after":string, "gowner_before":string, "md5_after":string, "md5_before":string, "owner_after":string, "owner_before":string, "path":string, "perm_after":bigint, "perm_before":bigint, "sha1_after":string, "sha1_before":string }
Information about a file integrity check.
systemname
string
The system name extracted by the decoder.
url
string
URL of the event.
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row