osseclogs

package
v1.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 30, 2020 License: AGPL-3.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TypeEventInfo = "OSSEC.EventInfo"
)

Variables

This section is empty.

Functions

func LogTypes added in v1.12.0

func LogTypes() logtypes.Group

Types

type Decoder

type Decoder struct {
	Accumulate *int    `json:"accumulate,omitempty" description:"True if OSSEC tracks events over multiple log messages based on decoded id."`
	Fts        *int    `json:"fts,omitempty" description:"The First Time Seen option inside of analysisd."`
	Ftscomment *string `json:"ftscomment,omitempty" description:"Unused at this time."`
	Name       *string `json:"name,omitempty" description:"The name of the decoder."`
	Parent     *string `json:"parent,omitempty" description:"In the case of a nested decoder, the name of it's parent."`
}

nolint:lll

type EventInfo

type EventInfo struct {
	// Required
	ID        *string                    `json:"id" validate:"required" description:"Unique id of the event."`
	Rule      *Rule                      `json:"rule" validate:"required,dive" description:"Information about the rule that created the event."`
	Timestamp *timestamp.UnixMillisecond `json:"TimeStamp" validate:"required" description:"Timestamp in UTC."`
	Location  *string                    `json:"location" validate:"required" description:"Source of the event (filename, command, etc)."`
	Hostname  *string                    `json:"hostname" validate:"required" description:"Hostname of the host that created the event."`
	FullLog   *string                    `json:"full_log" validate:"required" description:"The full captured log of the event."`

	// Optional
	Action             *string   `json:"action,omitempty" description:"The event action (drop, deny, accept, etc)."`
	AgentIP            *string   `json:"agentip,omitempty" description:"The IP address of an agent extracted from the hostname."`
	AgentName          *string   `json:"agent_name,omitempty" description:"The name of an agent extracted from the hostname."`
	Command            *string   `json:"command,omitempty" description:"The command extracted by the decoder."`
	Data               *string   `json:"data,omitempty" description:"Additional data extracted by the decoder. For example a filename."`
	Decoder            *string   `json:"decoder,omitempty" description:"The name of the decoder used to parse the logs."`
	DecoderDescription *Decoder  `json:"decoder_desc,omitempty" validate:"omitempty,dive" description:"Information about the decoder used to parse the logs."`
	DecoderParent      *string   `json:"decoder_parent,omitempty" description:"In the case of a nested decoder, the name of it's parent."`
	DstGeoIP           *string   `json:"dstgeoip,omitempty" description:"GeoIP location information about the destination IP address."`
	DstIP              *string   `json:"dstip,omitempty" description:"The destination IP address."`
	DstPort            *string   `json:"dstport,omitempty" description:"The destination port."`
	DstUser            *string   `json:"dstuser,omitempty" description:"The destination (target) username."`
	Logfile            *string   `json:"logfile,omitempty" description:"The source log file that was decoded to generate the event."`
	PreviousOutput     *string   `json:"previous_output,omitempty" description:"The full captured log of the previous event."`
	ProgramName        *string   `json:"program_name,omitempty" description:"The executable name extracted from the log by the decoder used to match a rule."`
	Protocol           *string   `json:"protocol,omitempty" description:"The protocol (ip, tcp, udp, etc) extracted by the decoder."`
	SrcGeoIP           *string   `json:"srcgeoip,omitempty" description:"GeoIP location information about the source IP address."`
	SrcIP              *string   `json:"srcip,omitempty" description:"The source IP address."`
	SrcPort            *string   `json:"srcport,omitempty" description:"The source port."`
	SrcUser            *string   `json:"srcuser,omitempty" description:"The source username."`
	Status             *string   `json:"status,omitempty" description:"Event status (success, failure, etc)."`
	SyscheckFile       *FileDiff `json:"SyscheckFile,omitempty" validate:"omitempty,dive" description:"Information about a file integrity check."`
	Systemname         *string   `json:"systemname,omitempty" description:"The system name extracted by the decoder."`
	URL                *string   `json:"url,omitempty" description:"URL of the event."`

	// NOTE: added to end of struct to allow expansion later
	parsers.PantherLog
}

nolint:lll

type EventInfoParser

type EventInfoParser struct{}

EventInfoParser parses OSSEC EventInfo alerts in the JSON format

func (*EventInfoParser) LogType

func (p *EventInfoParser) LogType() string

LogType returns the log type supported by this parser

func (*EventInfoParser) New

func (*EventInfoParser) Parse

func (p *EventInfoParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type FileDiff

type FileDiff struct {
	GroupOwnerAfter  *string `json:"gowner_after,omitempty" description:"The group owner after modification."`
	GroupOwnerBefore *string `json:"gowner_before,omitempty" description:"The group owner before modification."`
	MD5After         *string `json:"md5_after,omitempty" description:"MD5 hash of the file after modification."`
	MD5Before        *string `json:"md5_before,omitempty" description:"MD5 hash of the file before modification."`
	OwnerAfter       *string `json:"owner_after,omitempty" description:"The file owner after modification."`
	OwnerBefore      *string `json:"owner_before,omitempty" description:"The file owner before modification."`
	Path             *string `json:"path,omitempty" description:"The path to the file."`
	PermAfter        *int    `json:"perm_after,omitempty" description:"The permissions of the file after modification."`
	PermBefore       *int    `json:"perm_before,omitempty" description:"The permissions of the file before modification."`
	SHA1After        *string `json:"sha1_after,omitempty" description:"SHA1 hash of the file after modification."`
	SHA1Before       *string `json:"sha1_before,omitempty" description:"SHA1 hash of the file before modification."`
}

nolint:lll

type Rule

type Rule struct {
	// Required
	Comment *string `json:"comment" validate:"required" description:"The rule description."`
	Group   *string `json:"group" validate:"required" description:"Groups are optional tags added to alerts."`
	Level   *int    `json:"level" validate:"required" description:"The level of the rule (0 to 16). Alerts and responses use this value."`
	SIDID   *int    `json:"sidid" validate:"required" description:"The ID of the rule (100 to 99999)."`

	// Optional
	CIS        []string `json:"CIS,omitempty" description:"A list of Center for Internet Security (CIS) checks relevant to the rule."`
	CVE        *string  `json:"cve,omitempty" description:"A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule."`
	Firedtimes *int     `json:"firedtimes,omitempty" description:"The number of times the rule fired."`
	Frequency  *int     `json:"frequency,omitempty" description:"Specifies the number of times the rule must have matched before firing."`
	Groups     []string `json:"groups,omitempty" description:"Groups are optional tags added to alerts."`
	Info       *string  `json:"info,omitempty" description:"Additional information or reference about the rule."`
	PCIDSS     []string `` /* 138-byte string literal not displayed */
}

nolint:lll

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL