OSSEC Logs

Connecting OSSEC logs to your Panther Console

Overview

Panther supports ingesting OSSEC logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard OSSEC logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure OSSEC to push logs to the Data Transport source.

    • See OSSEC's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

OSSEC.EventInfo

OSSEC EventInfo alert parser. JSON output is supported.

Reference: OSSEC Documentation on Alert Log Samples.

schema: OSSEC.EventInfo
description: OSSEC EventInfo alert parser. Currently only JSON output is supported.
referenceURL: https://www.ossec.net/docs/docs/formats/alerts.html
fields:
    - name: id
      required: true
      description: Unique id of the event.
      type: string
    - name: rule
      required: true
      description: Information about the rule that created the event.
      type: object
      fields:
        - name: comment
          required: true
          description: The rule description.
          type: string
        - name: level
          required: true
          description: The level of the rule (0 to 16). Alerts and responses use this value.
          type: bigint
        - name: sidid
          required: true
          description: The ID of the rule (100 to 99999).
          type: bigint
        - name: CIS
          description: A list of Center for Internet Security (CIS) checks relevant to the rule.
          type: array
          element:
            type: string
        - name: cve
          description: A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule.
          type: string
        - name: firedtimes
          description: The number of times the rule fired.
          type: bigint
        - name: frequency
          description: Specifies the number of times the rule must have matched before firing.
          type: bigint
        - name: group
          description: Groups are optional tags added to alerts.
          type: string
        - name: groups
          description: Groups are optional tags added to alerts.
          type: array
          element:
            type: string
        - name: info
          description: Additional information or reference about the rule.
          type: string
        - name: PCI_DSS
          description: A list of Payment Card Industry Data Security Standard (PCI DSS) requirements relevant to the rule.
          type: array
          element:
            type: string
    - name: TimeStamp
      required: true
      description: Timestamp in UTC.
      type: timestamp
      timeFormats:
        - unix_ms
      isEventTime: true
    - name: location
      required: true
      description: Source of the event (filename, command, etc).
      type: string
    - name: hostname
      required: true
      description: Hostname of the host that created the event.
      type: string
    - name: full_log
      required: true
      description: The full captured log of the event.
      type: string
    - name: action
      description: The event action (drop, deny, accept, etc).
      type: string
    - name: agentip
      description: The IP address of an agent extracted from the hostname.
      type: string
      indicators:
        - ip
    - name: agent_name
      description: The name of an agent extracted from the hostname.
      type: string
    - name: command
      description: The command extracted by the decoder.
      type: string
    - name: data
      description: Additional data extracted by the decoder. For example a filename.
      type: string
    - name: decoder
      description: The name of the decoder used to parse the logs.
      type: string
    - name: decoder_desc
      description: Information about the decoder used to parse the logs.
      type: object
      fields:
        - name: accumulate
          description: True if OSSEC tracks events over multiple log messages based on decoded id.
          type: bigint
        - name: fts
          description: The First Time Seen option inside of analysisd.
          type: bigint
        - name: ftscomment
          description: Unused at this time.
          type: string
        - name: name
          description: The name of the decoder.
          type: string
        - name: parent
          description: In the case of a nested decoder, the name of it's parent.
          type: string
    - name: decoder_parent
      description: In the case of a nested decoder, the name of it's parent.
      type: string
    - name: dstgeoip
      description: GeoIP location information about the destination IP address.
      type: string
    - name: dstip
      description: The destination IP address.
      type: string
      indicators:
        - ip
    - name: dstport
      description: The destination port.
      type: string
    - name: dstuser
      description: The destination (target) username.
      type: string
      indicators:
        - username
    - name: logfile
      description: The source log file that was decoded to generate the event.
      type: string
    - name: previous_output
      description: The full captured log of the previous event.
      type: string
    - name: program_name
      description: The executable name extracted from the log by the decoder used to match a rule.
      type: string
    - name: protocol
      description: The protocol (ip, tcp, udp, etc) extracted by the decoder.
      type: string
    - name: srcgeoip
      description: GeoIP location information about the source IP address.
      type: string
    - name: srcip
      description: The source IP address.
      type: string
      indicators:
        - ip
    - name: srcport
      description: The source port.
      type: string
    - name: srcuser
      description: The source username.
      type: string
      indicators:
        - username
    - name: status
      description: Event status (success, failure, etc).
      type: string
    - name: SyscheckFile
      description: Information about a file integrity check.
      type: object
      fields:
        - name: gowner_after
          description: The group owner after modification.
          type: string
        - name: gowner_before
          description: The group owner before modification.
          type: string
        - name: md5_after
          description: MD5 hash of the file after modification.
          type: string
          indicators:
            - md5
        - name: md5_before
          description: MD5 hash of the file before modification.
          type: string
          indicators:
            - md5
        - name: owner_after
          description: The file owner after modification.
          type: string
        - name: owner_before
          description: The file owner before modification.
          type: string
        - name: path
          description: The path to the file.
          type: string
        - name: perm_after
          description: The permissions of the file after modification.
          type: bigint
        - name: perm_before
          description: The permissions of the file before modification.
          type: bigint
        - name: sha1_after
          description: SHA1 hash of the file after modification.
          type: string
          indicators:
            - sha1
        - name: sha1_before
          description: SHA1 hash of the file before modification.
          type: string
          indicators:
            - sha1
    - name: systemname
      description: The system name extracted by the decoder.
      type: string
    - name: url
      description: URL of the event.
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated