OSSEC Logs
Connecting OSSEC logs to your Panther Console
Overview
Panther supports ingesting OSSEC logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard OSSEC logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure OSSEC to push logs to the Data Transport source.
See OSSEC's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
OSSEC.EventInfo
OSSEC EventInfo alert parser. JSON output is supported.
Reference: OSSEC Documentation on Alert Log Samples.
schema: OSSEC.EventInfo
description: OSSEC EventInfo alert parser. Currently only JSON output is supported.
referenceURL: https://www.ossec.net/docs/docs/formats/alerts.html
fields:
- name: id
required: true
description: Unique id of the event.
type: string
- name: rule
required: true
description: Information about the rule that created the event.
type: object
fields:
- name: comment
required: true
description: The rule description.
type: string
- name: level
required: true
description: The level of the rule (0 to 16). Alerts and responses use this value.
type: bigint
- name: sidid
required: true
description: The ID of the rule (100 to 99999).
type: bigint
- name: CIS
description: A list of Center for Internet Security (CIS) checks relevant to the rule.
type: array
element:
type: string
- name: cve
description: A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule.
type: string
- name: firedtimes
description: The number of times the rule fired.
type: bigint
- name: frequency
description: Specifies the number of times the rule must have matched before firing.
type: bigint
- name: group
description: Groups are optional tags added to alerts.
type: string
- name: groups
description: Groups are optional tags added to alerts.
type: array
element:
type: string
- name: info
description: Additional information or reference about the rule.
type: string
- name: PCI_DSS
description: A list of Payment Card Industry Data Security Standard (PCI DSS) requirements relevant to the rule.
type: array
element:
type: string
- name: TimeStamp
required: true
description: Timestamp in UTC.
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: location
required: true
description: Source of the event (filename, command, etc).
type: string
- name: hostname
required: true
description: Hostname of the host that created the event.
type: string
- name: full_log
required: true
description: The full captured log of the event.
type: string
- name: action
description: The event action (drop, deny, accept, etc).
type: string
- name: agentip
description: The IP address of an agent extracted from the hostname.
type: string
indicators:
- ip
- name: agent_name
description: The name of an agent extracted from the hostname.
type: string
- name: command
description: The command extracted by the decoder.
type: string
- name: data
description: Additional data extracted by the decoder. For example a filename.
type: string
- name: decoder
description: The name of the decoder used to parse the logs.
type: string
- name: decoder_desc
description: Information about the decoder used to parse the logs.
type: object
fields:
- name: accumulate
description: True if OSSEC tracks events over multiple log messages based on decoded id.
type: bigint
- name: fts
description: The First Time Seen option inside of analysisd.
type: bigint
- name: ftscomment
description: Unused at this time.
type: string
- name: name
description: The name of the decoder.
type: string
- name: parent
description: In the case of a nested decoder, the name of it's parent.
type: string
- name: decoder_parent
description: In the case of a nested decoder, the name of it's parent.
type: string
- name: dstgeoip
description: GeoIP location information about the destination IP address.
type: string
- name: dstip
description: The destination IP address.
type: string
indicators:
- ip
- name: dstport
description: The destination port.
type: string
- name: dstuser
description: The destination (target) username.
type: string
indicators:
- username
- name: logfile
description: The source log file that was decoded to generate the event.
type: string
- name: previous_output
description: The full captured log of the previous event.
type: string
- name: program_name
description: The executable name extracted from the log by the decoder used to match a rule.
type: string
- name: protocol
description: The protocol (ip, tcp, udp, etc) extracted by the decoder.
type: string
- name: srcgeoip
description: GeoIP location information about the source IP address.
type: string
- name: srcip
description: The source IP address.
type: string
indicators:
- ip
- name: srcport
description: The source port.
type: string
- name: srcuser
description: The source username.
type: string
indicators:
- username
- name: status
description: Event status (success, failure, etc).
type: string
- name: SyscheckFile
description: Information about a file integrity check.
type: object
fields:
- name: gowner_after
description: The group owner after modification.
type: string
- name: gowner_before
description: The group owner before modification.
type: string
- name: md5_after
description: MD5 hash of the file after modification.
type: string
indicators:
- md5
- name: md5_before
description: MD5 hash of the file before modification.
type: string
indicators:
- md5
- name: owner_after
description: The file owner after modification.
type: string
- name: owner_before
description: The file owner before modification.
type: string
- name: path
description: The path to the file.
type: string
- name: perm_after
description: The permissions of the file after modification.
type: bigint
- name: perm_before
description: The permissions of the file before modification.
type: bigint
- name: sha1_after
description: SHA1 hash of the file after modification.
type: string
indicators:
- sha1
- name: sha1_before
description: SHA1 hash of the file before modification.
type: string
indicators:
- sha1
- name: systemname
description: The system name extracted by the decoder.
type: string
- name: url
description: URL of the event.
type: stringLast updated