Decoders Syntax

Overview

Options

decoder

Attributes:

  • id::
  • name:
  • type:
  • status:
decoder.parent
decoder.accumulate

Allow OSSEC to track events over multiple log messages based on a decoded id.

<decoder name="example">
  ...
  <order>id</order>
  <accumulate/>
</decoder>

Note

Requires a regex populating the id field.

Warning

accumulate first appeared in OSSEC 2.9.

decoder.program_name

Allowed: Any OS_Match/sregex Syntax

decoder.prematch

Allowed: Any OS_Match/sregex Syntax

decoder.regex

Allowed: Any OR_Regex/regex Syntax

decoder.order

Allowed:

  • location - where the log came from (only on FTS)
  • srcuser - extracts the source username
  • dstuser - extracts the destination (target) username
  • user - an alias to dstuser (only one of the two can be used)
  • srcip - source ip
  • dstip - dst ip
  • srcport - source port
  • dstport - destination port
  • protocol - protocol
  • id - event id
  • url - url of the event
  • action - event action (deny, drop, accept, etc)
  • status - event status (success, failure, etc)
  • extra_data - Any extra data
decoder.fts
decoder.ftscomment

Unused at this time.