ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.49k stars 1.04k forks source link

JSON EventInfo output missing "group" field in "rule" object #1838

Open stoggi opened 4 years ago

stoggi commented 4 years ago

I'm writing a JSON parser for the EventInfo output logs, and I noticed that the group field is no longer in the rule object.

The group field was introduced here: https://github.com/ossec/ossec-hids/commit/7e094aeeeb1e0f55dca335cdae8237f6d50b99e3

But looks like it was removed here: https://github.com/ossec/ossec-hids/commit/487708e26d2ca83975fdf184f505b687eb609333

Was this intentional? I don't have a current deployment of ossec to verify that it is indeed missing in the output.

ddpbsd commented 4 years ago

I swear I replied to this twice. Anyway, group is now groups which is an array of the groups. We could include the group (just a comma separated string of groups) as well, but I'm not a huge fan of the duplication.

stoggi commented 4 years ago

If you do remove group then I'd recommend adding a version field to the json output, so that parsers can keep track of changes to the schema.

I spent a bit of time extracting the schema from to_json.c, I'll submit a PR to update the docs with the fields and descriptions.