Open stoggi opened 4 years ago
I swear I replied to this twice. Anyway, group is now groups which is an array of the groups. We could include the group (just a comma separated string of groups) as well, but I'm not a huge fan of the duplication.
If you do remove group
then I'd recommend adding a version field to the json output, so that parsers can keep track of changes to the schema.
I spent a bit of time extracting the schema from to_json.c
, I'll submit a PR to update the docs with the fields and descriptions.
I'm writing a JSON parser for the
EventInfo
output logs, and I noticed that thegroup
field is no longer in therule
object.The
group
field was introduced here: https://github.com/ossec/ossec-hids/commit/7e094aeeeb1e0f55dca335cdae8237f6d50b99e3But looks like it was removed here: https://github.com/ossec/ossec-hids/commit/487708e26d2ca83975fdf184f505b687eb609333
Was this intentional? I don't have a current deployment of ossec to verify that it is indeed missing in the output.