Required fields are in bold.
OSSEC EventInfo alert parser. Currently only JSON output is supported. Reference: https://www.ossec.net/docs/docs/formats/alerts.html​
Column | Type | Description |
|
| Unique id of the event. |
|
| Information about the rule that created the event. |
|
| Timestamp in UTC. |
|
| Source of the event (filename, command, etc). |
|
| Hostname of the host that created the event. |
|
| The full captured log of the event. |
|
| The event action (drop, deny, accept, etc). |
|
| The IP address of an agent extracted from the hostname. |
|
| The name of an agent extracted from the hostname. |
|
| The command extracted by the decoder. |
|
| Additional data extracted by the decoder. For example a filename. |
|
| The name of the decoder used to parse the logs. |
|
| Information about the decoder used to parse the logs. |
|
| In the case of a nested decoder, the name of it's parent. |
|
| GeoIP location information about the destination IP address. |
|
| The destination IP address. |
|
| The destination port. |
|
| The destination (target) username. |
|
| The source log file that was decoded to generate the event. |
|
| The full captured log of the previous event. |
|
| The executable name extracted from the log by the decoder used to match a rule. |
|
| The protocol (ip, tcp, udp, etc) extracted by the decoder. |
|
| GeoIP location information about the source IP address. |
|
| The source IP address. |
|
| The source port. |
|
| The source username. |
|
| Event status (success, failure, etc). |
|
| Information about a file integrity check. |
|
| The system name extracted by the decoder. |
|
| URL of the event. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |