OSSEC 3.6.0

Decoders Syntax

Overview

Options

decoder

Each decoder must have its name defined for reference by rules and other decoders.

Attributes:

  • name:

Example:

<decoder name="atomic-widget">
decoder.parent

A decoder may be the child of another decoder, offering further parsing. The child decoders will not be checked if the parent does not match the log message.

Example:

<decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>
decoder.accumulate

New in version 2.9.0.

Allow OSSEC to track events over multiple log messages based on a decoded id.

<decoder name="example">
  ...
  <order>id</order>
  <accumulate/>
</decoder>

Note

Requires a regex populating the id field using regex or pcre2.

decoder.program_name

For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

Allowed: Any OS_Match/sregex Syntax

Example:

<decoder name="atomic-widget">
  <program_name>atomic-widget</program_name>
decoder.program_name_pcre2

For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

Allowed: A pcre2 compliant string to match the program_name.

decoder.prematch

prematch looks for a string to determine whether the decoder is applicable.

Allowed: Any OS_Match/sregex Syntax

decoder.prematch_pcre2

prematch uses pcre2 to look for a string to determine whether the decoder is applicable.

Allowed: A pcre2 compliant string.

decoder.regex

This option will allow parts of the log messages to be extracted into fields defined in the order option, using the OSSEC regex syntax.

Allowed: Any OS_Regex/regex Syntax

decoder.pcre2

This option will allow parts of the log messages to be extracted into fields defined in the order option, using the PCRE2 syntax.

Allowed: A pcre2 compliant search string.

decoder.order

This option names the fields used by the regex or pcre2 options. The field names are comma separated.

Field Name List:

  • location - where the log came from (only on FTS)
  • srcuser - extracts the source username
  • dstuser - extracts the destination (target) username
  • user - an alias to dstuser (only one of the two can be used)
  • srcip - source ip
  • dstip - dst ip
  • srcport - source port
  • dstport - destination port
  • protocol - protocol
  • id - event id
  • url - url of the event
  • action - event action (deny, drop, accept, etc)
  • status - event status (success, failure, etc)
  • extra_data - Any extra data

Active Response fields:

The following fields may be used for active responses.

  • user
  • srcip
  • filename
decoder.fts

fts is the First Time Seen option inside of analysisd. It will alert the first time any defined decoded field is populated with a new value.

Allowed: Field names as listed in order above.

Example:

<decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>
  <regex>user=(\S+)</regex>
  <order>srcuser</order>
  <fts>srcuser</fts>
decoder.ftscomment

Unused at this time.