OSSEC 3.6.0

Decoders Syntax

Overview

Options

  • decoder

    Each decoder must have its name defined for reference by rules and other decoders.

    Attributes:

    • name:

    Example:

    <decoder name="atomic-widget">

  • decoder.parent

    A decoder may be the child of another decoder, offering further parsing. The child decoders will not be checked if the parent does not match the log message.

    Example:

    <decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>

  • decoder.accumulate

    New in version 2.9.0.

    Allow OSSEC to track events over multiple log messages based on a decoded id.

    <decoder name="example">
  ...
  <order>id</order>
  <accumulate/>
</decoder>

    Note

    Requires a regex populating the id field using regex or pcre2.

  • decoder.program_name

    For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

    Allowed: Any OS_Match/sregex Syntax

    Example:

    <decoder name="atomic-widget">
  <program_name>atomic-widget</program_name>

  • decoder.program_name_pcre2

    For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

    Allowed: A pcre2 compliant string to match the program_name.

  • decoder.prematch

    prematch looks for a string to determine whether the decoder is applicable.

    Allowed: Any OS_Match/sregex Syntax

  • decoder.prematch_pcre2

    prematch uses pcre2 to look for a string to determine whether the decoder is applicable.

    Allowed: A pcre2 compliant string.

  • decoder.regex

    This option will allow parts of the log messages to be extracted into fields defined in the order option, using the OSSEC regex syntax.

    Allowed: Any OS_Regex/regex Syntax

  • decoder.pcre2

    This option will allow parts of the log messages to be extracted into fields defined in the order option, using the PCRE2 syntax.

    Allowed: A pcre2 compliant search string.

  • decoder.order

    This option names the fields used by the regex or pcre2 options. The field names are comma separated.

    Field Name List:

    • location - where the log came from (only on FTS)
    • srcuser - extracts the source username
    • dstuser - extracts the destination (target) username
    • user - an alias to dstuser (only one of the two can be used)
    • srcip - source ip
    • dstip - dst ip
    • srcport - source port
    • dstport - destination port
    • protocol - protocol
    • id - event id
    • url - url of the event
    • action - event action (deny, drop, accept, etc)
    • status - event status (success, failure, etc)
    • extra_data - Any extra data

    Active Response fields:

    The following fields may be used for active responses.

    • user
    • srcip
    • filename

  • decoder.fts

    fts is the First Time Seen option inside of analysisd. It will alert the first time any defined decoded field is populated with a new value.

    Allowed: Field names as listed in order above.

    Example:

    <decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>
  <regex>user=(\S+)</regex>
  <order>srcuser</order>
  <fts>srcuser</fts>

  • decoder.ftscomment

    Unused at this time.