json format of messages generated by ossec

[jrossi]

_This is a break backwards compatibility feature _

Switch to using a json format message for internally generated events.

By switching to json events parsing is general and can allow adding features without changing parser code. (just rules)

Good example of how i see this working is syscheck events could me something like the following:

#!json

{
    "app":"ossec-syscheck",
    "type":"syscheck",
    "log":"file blah changed",
    "hostname":"something.example.com", 
    "file":"/etc/passwd",
    "changes":{
          "sha512":{
                 "before":"aaaaaaaaa11111",
                 "after":"bbbbbbbbbbbbbbbbbb",
          },
          "blake3":{
                 "before":"xxxxxxxxxxxxxxxxxxxxxxxxxx",
                 "after":"yyyyyyyyyyyyyyyyyyyyyyy",
          }, 
          "owner":{
                 "before":"root",
                 "after":"nobody",
          }
    }
}

Of course this does not help that much with what we currently have but think about the options for windows:

#!json

{
    "app":"ossec-syscheck",
    "type":"syscheck",
    "log":"file blah changed",
    "hostname":"win2013.example.com", 
    "file":"c:\window\system32\etc\hosts",
    "changes":{
          "sha512":{
                 "before":"aaaaaaaaa11111",
                 "after":"bbbbbbbbbbbbbbbbbb",
          },
          "blake3":{
                 "before":"xxxxxxxxxxxxxxxxxxxxxxxxxx",
                 "after":"yyyyyyyyyyyyyyyyyyyyyyy",
          }, 
          "owner":{
                 "before":"SYSTEM",
                 "after":"iis",
          },
          "groups":{
                 "before":["administrator", "system"],
                 "after":["Administrators", "iisuser", "iis","domain users"],
          }
    }
}

Note: This issue has been automatically migrated from Bitbucket Created by jrossi on 2013-09-13 01:11:26+00:00, last updated: 2013-09-13 01:13:52+00:00