Skip to content

Instantly share code, notes, and snippets.

@jrossi

jrossi/gist:567282

Created September 6, 2010 17:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jrossi/567282 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jrossi/567282 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.js
// standard message
[
"header":{
"msg":[ //All are required
0, // major msg version
0, // minor msg version
0, //message type
"000" //agent id
],
"agent":{ // Option but should be present in most cases
"ver":"2.5.0-snapshot",
"os":"Text for os type",
"host":{
"name":"something.exmaple.com",
"ipv4":"10.4.32.1",
"ipv6":"dead:beef:2",
},
}
},
payload=[
//array of payloads see payload types
]
}
// standard responce
{
"header":{"msg":[0,0,0,"server-id"]},
"payload":{
"confirmed":False,
"reason":"DiskFull",
"action":[
{"retry":2},
{"failover":"tcp://192.168.5.1:1512"},
{"retry":5},
{"failover":"tcp://172.16.32.1:1512"},
{"retry":5},
{"restart":True},
],
}
},
// ## Payload types:
// #### Legacy - Old standard format for messages that have not been coverted to the new format
"Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied",
"ossec: agentless: STORE Start",
// #### Syslog
{
// org is the orginal host of the event - Required
"org-host":{ // one or all the internal feilds allow, one *must* be present
"name":"something.example.com",
"ipv4":111111111,
"ipv6":"dead:beef::2",
},
// rly is the relay host for the system messages and is optional
"rly-host":{ // one or all the internal feilds allow, one *must* be present
"name":"diff.example.com",
"ipv4":111111111,
"ipv6":"dead:beef::2",
},
"org-file":"/var/log/messages", // optional but SHOULD be supplied if present
"par-log":{ // allow for basic parsing on the client side
"facility":1, // Should be present if possiable
"Severity":1, // SHould be present if possiable
"log":"client 217.148.39.3#1036: query (cache) denied", // Optional to speed up processing
"program":"named", // Should be present if possiable
"epoch":10101010101, // Should be present if possiable
},
"raw-log":"Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied", // Required even if plog present
},
// #### Windows Eventlog
{
"log":"alksjlasd",
"source":"akljsdalksd",
"event":"akldjalsdkllka",
"type":{
"name":"alskdjalskd",
"id":100101
},
"category":{
"name":"aklsjdlakjsdla",
"id":10100101
},
"user":{
"name":"jeremy Rossi",
"sid":"1010010-1119913-0123019283-21928301-818219"
},
"computer":{
"name":"wsk10101",
"sid":"1010010-1119913-0123019283-21928301-818219",
},
"description":"aksjdlaksjdlkasjdla",
}
// #### syscheck
// ###### Unix example
{
"file":"/path/to/file",
"attr":{
"type":0, // 0 = Unix 1 = windows other are reserved for future use
"md5":"1234567890abcd",
"sha1":"abcdef09876543231",
"sum":"1919191911",
"owner":{"uid":10,"name":"jrossi"},
"gowner":{"uid":10,"name":"wheel"},
"perm":775,
"extended"{
"immutable":True,
"acl":[
{
"type":0, // 0=user 1=group 0=world
"perm":7,
"uid":0,
"name":"root"
},
{"type":0,"perm":000,"uid":80,"name":"www"}
],
}
}
"content":"binary blog of de contents", // Optional
}
// ###### Windows example
{
"file":"c:\\windows\\explore.exe",
"attr":{
"type":1, // 0 = Unix 1 = windows other are reserved for future use
"md5":"1234567890abcd",
"sha1":"abcdef09876543231",
"sum":"1919191911",
"extended"{
// XXX need to layout the windows extended permission model
}
}
"content":"binary blog of de contents", // Optional
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment