Decoder file items
Supported decoder items
| Configuration item | Remarks |
|---|---|
| <decoder name="..."> | The decoder name is mandatory. |
|
<decoder name="..."> |
Makes it possible to link the decoder to a higher level decoder. NOTE
|
| <decoder name="..."> <prematch>...</prematch> </decoder> |
Advanced OSSEC regular expression that can be used to quickly verify whether the decoder is suitable for the log message. |
| <decoder name="..."> <prematch_pcre2>...</prematch_pcre2> </decoder> |
PCRE2 regular expression that can be used to quickly verify whether the decoder is suitable for the log message. |
| <decoder name="..."> <program_name>...</program_name> </decoder> |
Simple OSSEC regular expression targeting the program_name field extracted during the pre-decoding phase, which can be used to quickly verify whether the decoder is suitable for the log message. |
| <decoder name="..."> <program_name_pcre2>...</program_name_pcre2> </decoder> |
PCRE2 regular expression targeting the program_name field extracted during the pre-decoding phase, which can be used to quickly verify whether the decoder is suitable for the log message. |
| <decoder name="..."> <regex>...</regex> <order>...</order> </decoder> |
Extracts fields from the log using an advanced OSSEC regular expression with capture groups. SES Evolution makes it possible to extract to any field name. |
| <decoder name="..."> <pcre2>...</pcre2> <order>...</order> </decoder> |
Extracts fields from the log using a PCRE2 regular expression with capture groups. SES Evolution makes it possible to extract to any field name. |
| <decoder name="..."> <use_own_name>...</use_own_name> </decoder> |
Makes it possible to write rules later that target the name of this decoder when it is not at the first level. SES Evolution ignores this option but supports decoders from all levels in the decoded_as option in rules. |
| <decoder name="..."> <type>...</type> </decoder> |
Allows the decoder to be classified. The supported values are: firewall, ids, web-log, syslog, squid, windows, host-information and OSSEC. The first seven mandatory rules (in rules_config.xml) correspond to all of these types except host-information. |
| <decoder name="..."> <fts>…</fts> </decoder> |
Allows n-tuple fields to be cached to see whether their values have already been observed together. |
Unsupported decoder items
| Configuration item | Remarks |
|---|---|
| <decoder status="...> | Even though OSSEC contains code to read this field, any configuration that contains it is invalid. |
| <decoder id="..."> | OSSEC contains code to read this field, but does not use its value. |
| <decoder type="..."> | OSSEC contains code to read this field, but does not use its value. |
| <decoder name="..."> <plugin_decoder>...</plugin_decoder> </decoder> |
Allows users to compile their own decoders for specific needs. |
| <decoder name="..."> <accumulate/> </decoder> |
Supports logs that span several lines with common fields. |