decoder
¶Attributes:
decoder.parent
¶decoder.accumulate
¶New in version 2.9.0.
Allow OSSEC to track events over multiple log messages based on a decoded id.
<decoder name="example">
...
<order>id</order>
<accumulate/>
</decoder>
Note
Requires a regex populating the id
field.
Warning
accumulate first appeared in OSSEC 2.9.0
decoder.program_name
¶Allowed: Any OS_Match/sregex Syntax
decoder.prematch
¶Allowed: Any OS_Match/sregex Syntax
decoder.regex
¶Allowed: Any OS_Regex/regex Syntax
decoder.order
¶Allowed:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
decoder.fts
¶decoder.ftscomment
¶Unused at this time.