Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var EventInfoDesc = `` /* 133-byte string literal not displayed */
Functions ¶
This section is empty.
Types ¶
type Decoder ¶
type Decoder struct {
Accumulate *int `json:"accumulate,omitempty" description:"True if OSSEC tracks events over multiple log messages based on decoded id."`
Fts *int `json:"fts,omitempty" description:"The First Time Seen option inside of analysisd."`
Ftscomment *string `json:"ftscomment,omitempty" description:"Unused at this time."`
Name *string `json:"name,omitempty" description:"The name of the decoder."`
Parent *string `json:"parent,omitempty" description:"In the case of a nested decoder, the name of it's parent."`
}
nolint:lll
type EventInfo ¶
type EventInfo struct {
// Required
ID *string `json:"id" validate:"required" description:"Unique id of the event."`
Rule *Rule `json:"rule" validate:"required,dive" description:"Information about the rule that created the event."`
Timestamp *timestamp.UnixMillisecond `json:"TimeStamp" validate:"required" description:"Timestamp in UTC."`
Location *string `json:"location" validate:"required" description:"Source of the event (filename, command, etc)."`
Hostname *string `json:"hostname" validate:"required" description:"Hostname of the host that created the event."`
FullLog *string `json:"full_log" validate:"required" description:"The full captured log of the event."`
// Optional
Action *string `json:"action,omitempty" description:"The event action (drop, deny, accept, etc)."`
AgentIP *string `json:"agentip,omitempty" description:"The IP address of an agent extracted from the hostname."`
AgentName *string `json:"agent_name,omitempty" description:"The name of an agent extracted from the hostname."`
Command *string `json:"command,omitempty" description:"The command extracted by the decoder."`
Data *string `json:"data,omitempty" description:"Additional data extracted by the decoder. For example a filename."`
Decoder *string `json:"decoder,omitempty" description:"The name of the decoder used to parse the logs."`
DecoderDescription *Decoder `json:"decoder_desc,omitempty" validate:"omitempty,dive" description:"Information about the decoder used to parse the logs."`
DecoderParent *string `json:"decoder_parent,omitempty" description:"In the case of a nested decoder, the name of it's parent."`
DstGeoIP *string `json:"dstgeoip,omitempty" description:"GeoIP location information about the destination IP address."`
DstIP *string `json:"dstip,omitempty" description:"The destination IP address."`
DstPort *string `json:"dstport,omitempty" description:"The destination port."`
DstUser *string `json:"dstuser,omitempty" description:"The destination (target) username."`
Logfile *string `json:"logfile,omitempty" description:"The source log file that was decoded to generate the event."`
PreviousOutput *string `json:"previous_output,omitempty" description:"The full captured log of the previous event."`
ProgramName *string `json:"program_name,omitempty" description:"The executable name extracted from the log by the decoder used to match a rule."`
Protocol *string `json:"protocol,omitempty" description:"The protocol (ip, tcp, udp, etc) extracted by the decoder."`
SrcGeoIP *string `json:"srcgeoip,omitempty" description:"GeoIP location information about the source IP address."`
SrcIP *string `json:"srcip,omitempty" description:"The source IP address."`
SrcPort *string `json:"srcport,omitempty" description:"The source port."`
SrcUser *string `json:"srcuser,omitempty" description:"The source username."`
Status *string `json:"status,omitempty" description:"Event status (success, failure, etc)."`
SyscheckFile *FileDiff `json:"SyscheckFile,omitempty" validate:"omitempty,dive" description:"Information about a file integrity check."`
Systemname *string `json:"systemname,omitempty" description:"The system name extracted by the decoder."`
URL *string `json:"url,omitempty" description:"URL of the event."`
// NOTE: added to end of struct to allow expansion later
parsers.PantherLog
}
nolint:lll
type EventInfoParser ¶
type EventInfoParser struct{}
EventInfoParser parses OSSEC EventInfo alerts in the JSON format
func (*EventInfoParser) LogType ¶
func (p *EventInfoParser) LogType() string
LogType returns the log type supported by this parser
func (*EventInfoParser) New ¶
func (p *EventInfoParser) New() parsers.LogParser
func (*EventInfoParser) Parse ¶
func (p *EventInfoParser) Parse(log string) []interface{}
Parse returns the parsed events or nil if parsing failed
type FileDiff ¶
type FileDiff struct {
GroupOwnerAfter *string `json:"gowner_after,omitempty" description:"The group owner after modification."`
GroupOwnerBefore *string `json:"gowner_before,omitempty" description:"The group owner before modification."`
MD5After *string `json:"md5_after,omitempty" description:"MD5 hash of the file after modification."`
MD5Before *string `json:"md5_before,omitempty" description:"MD5 hash of the file before modification."`
OwnerAfter *string `json:"owner_after,omitempty" description:"The file owner after modification."`
OwnerBefore *string `json:"owner_before,omitempty" description:"The file owner before modification."`
Path *string `json:"path,omitempty" description:"The path to the file."`
PermAfter *int `json:"perm_after,omitempty" description:"The permissions of the file after modification."`
PermBefore *int `json:"perm_before,omitempty" description:"The permissions of the file before modification."`
SHA1After *string `json:"sha1_after,omitempty" description:"SHA1 hash of the file after modification."`
SHA1Before *string `json:"sha1_before,omitempty" description:"SHA1 hash of the file before modification."`
}
nolint:lll
type Rule ¶
type Rule struct {
// Required
Comment *string `json:"comment" validate:"required" description:"The rule description."`
Group *string `json:"group" validate:"required" description:"Groups are optional tags added to alerts."`
Level *int `json:"level" validate:"required" description:"The level of the rule (0 to 16). Alerts and responses use this value."`
SIDID *int `json:"sidid" validate:"required" description:"The ID of the rule (100 to 99999)."`
// Optional
CIS []string `json:"CIS,omitempty" description:"A list of Center for Internet Security (CIS) checks relevant to the rule."`
CVE *string `json:"cve,omitempty" description:"A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule."`
Firedtimes *int `json:"firedtimes,omitempty" description:"The number of times the rule fired."`
Frequency *int `json:"frequency,omitempty" description:"Specifies the number of times the rule must have matched before firing."`
Groups []string `json:"groups,omitempty" description:"Groups are optional tags added to alerts."`
Info *string `json:"info,omitempty" description:"Additional information or reference about the rule."`
PCIDSS []string `` /* 138-byte string literal not displayed */
}
nolint:lll
Source Files
Click to show internal directories.
Click to hide internal directories.