Modify OSSEC_HYBRID_SERVER_HOST settings in ossec.pattern

[craiglawson]

Instead of Alert.Analyzer.Analyzer.Node.Name, which can be confusing to read at a glance, would it be suitable to highlight that this is a log which has arrived via hybrid box e.g. Alert.Analyzer.Hybrid.Node.Name?

And repeat for the other patterns...

[dsvetlov]

Hi, Craig!

I'm endeavor to use IDMEF format for alert formatting. It have RFC and very comprehencive. IDMEF format assumes that analyzers can be chained. And OSSEC assumes that too. As I can understand you can create very long structure of hybrid OSSEC servers. So, in most common case you need to make name for every analyzer in chain. I think it is not bad idea.

What problem, you are trying to solve? May be it'll be better to make some kind of composite name of analyzers path? Something like Alert.Analyzing.Path:OSSECserver<-OSSEChybrid<-OSSECagent.

[craiglawson]

Ahh, that makes sense, I will need to have a read of that RFC (https://www.ietf.org/rfc/rfc4765.txt ?)... Queue up the coffee!

I guess the "problem" I was trying to solve was to make the fields a little clearer, yes, it's not something you would really need to edit on a regular basis, I just found myself having to double check which field I was working with more often.

[dsvetlov]

@craiglawson, I think we can add a config for logstash. It config will make custom transforms for users. That way all configs will be consistent with master branch, but end user still can modify or add fields. One problem, is that kibana can't automatically reflect that changes and user must create custom dashboards for using custom fields.

What do you think about it?