Decoders Syntax

Overview

Options

  • decoder

    Each decoder must have its name defined for reference by rules and other decoders.

    Attributes:

    • name:

    Example:

    <decoder name="atomic-widget">

  • decoder.parent

    A decoder may be the child of another decoder, offering further parsing. The child decoders will not be checked if the parent does not match the log message.

    Example:

    <decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>

  • decoder.accumulate

    Added in version 2.9.0.

    Allow OSSEC to track events over multiple log messages based on a decoded id.

    <decoder name="example">
  ...
  <order>id</order>
  <accumulate/>
</decoder>

    Note

    Requires a regex populating the id field using regex or pcre2.

  • decoder.program_name

    For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

    Allowed: Any OS_Match/sregex Syntax

    Example:

    <decoder name="atomic-widget">
  <program_name>atomic-widget</program_name>

  • decoder.program_name_pcre2

    For many log messages a program name can be extracted automatically. This option compares the value with the decoded program_name value.

    Allowed: A pcre2 compliant string to match the program_name.

  • decoder.prematch

    prematch looks for a string to determine whether the decoder is applicable.

    Allowed: Any OS_Match/sregex Syntax

  • decoder.prematch_pcre2

    prematch uses pcre2 to look for a string to determine whether the decoder is applicable.

    Allowed: A pcre2 compliant string.

  • decoder.regex

    This option will allow parts of the log messages to be extracted into fields defined in the order option, using the OSSEC regex syntax.

    Allowed: Any OS_Regex/regex Syntax

  • decoder.pcre2

    This option will allow parts of the log messages to be extracted into fields defined in the order option, using the PCRE2 syntax.

    Allowed: A pcre2 compliant search string.

  • decoder.order

    This option names the fields used by the regex or pcre2 options. The field names are comma separated.

    Field Name List:

    • location - where the log came from (only on FTS)

    • srcuser - extracts the source username

    • dstuser - extracts the destination (target) username

    • user - an alias to dstuser (only one of the two can be used)

    • srcip - source ip

    • dstip - dst ip

    • srcport - source port

    • dstport - destination port

    • protocol - protocol

    • id - event id

    • url - url of the event

    • action - event action (deny, drop, accept, etc)

    • status - event status (success, failure, etc)

    • extra_data - Any extra data

    Active Response fields:

    The following fields may be used for active responses.

    • user

    • srcip

    • filename

  • decoder.fts

    fts is the First Time Seen option inside of analysisd. It will alert the first time any defined decoded field is populated with a new value.

    Allowed: Field names as listed in order above.

    Example:

    <decoder name="atomic-widget-login">
  <parent>atomic-widget</parent>
  <regex>user=(\S+)</regex>
  <order>srcuser</order>
  <fts>srcuser</fts>

  • decoder.ftscomment

    Unused at this time.