Open jrossi opened 10 years ago
_This is a break backwards compatibility feature _
Switch to using a json format message for internally generated events.
By switching to json events parsing is general and can allow adding features without changing parser code. (just rules)
Good example of how i see this working is syscheck events could me something like the following:
#!json { "app":"ossec-syscheck", "type":"syscheck", "log":"file blah changed", "hostname":"something.example.com", "file":"/etc/passwd", "changes":{ "sha512":{ "before":"aaaaaaaaa11111", "after":"bbbbbbbbbbbbbbbbbb", }, "blake3":{ "before":"xxxxxxxxxxxxxxxxxxxxxxxxxx", "after":"yyyyyyyyyyyyyyyyyyyyyyy", }, "owner":{ "before":"root", "after":"nobody", } } }
Of course this does not help that much with what we currently have but think about the options for windows:
#!json { "app":"ossec-syscheck", "type":"syscheck", "log":"file blah changed", "hostname":"win2013.example.com", "file":"c:\window\system32\etc\hosts", "changes":{ "sha512":{ "before":"aaaaaaaaa11111", "after":"bbbbbbbbbbbbbbbbbb", }, "blake3":{ "before":"xxxxxxxxxxxxxxxxxxxxxxxxxx", "after":"yyyyyyyyyyyyyyyyyyyyyyy", }, "owner":{ "before":"SYSTEM", "after":"iis", }, "groups":{ "before":["administrator", "system"], "after":["Administrators", "iisuser", "iis","domain users"], } } }
Note: This issue has been automatically migrated from Bitbucket Created by jrossi on 2013-09-13 01:11:26+00:00, last updated: 2013-09-13 01:13:52+00:00
_This is a break backwards compatibility feature _
Switch to using a json format message for internally generated events.
By switching to json events parsing is general and can allow adding features without changing parser code. (just rules)
Good example of how i see this working is syscheck events could me something like the following:
Of course this does not help that much with what we currently have but think about the options for windows:
Note: This issue has been automatically migrated from Bitbucket Created by jrossi on 2013-09-13 01:11:26+00:00, last updated: 2013-09-13 01:13:52+00:00