If you want to filter on the “Additional event information” fields within the events, you need to use the following filter variables:
- Payload Headers JSON
- Data JSON
- Parsed Data JSON
When you query these events, you need to use the JSON Operators as follows:
https://www.postgresql.org/docs/9.4/static/functions-json.html
How to query NIDS Events for the data contained in the “Request Header”
Example 1:
If this is the “Request Header” under “Additional Event Info” in an events detail:
You can query on the data above using “Payload Headers JSON” and doing something like the following:
This is asking the query to return all events where the Request Header contains "User-Agent: TBNotifier" content.
How to query HIDS Events for the data contained in the “HIDS Data”
You use “Data JSON” to search on HIDS events:
Example:
If this is the “HIDS Data” under “Additional Event Info” in an events detail:
You can query on the data above using “Data JSON”.
Example 1:
This query says AND find events where “ossec” is in the “event_type” field
Example 2:
This query says AND find events where “event_type”: “ossec” is contained in the data.
Example 3:
This query says AND find events where “rootcheck”: “ossec” is in the ‘rule’->’groups’ field
How to query SYSLOG Events for the data contained in the “Raw log”
You use “Data JSON” to search on SYSLOG events:
If this is the “Syslog Data” data under “Additional Event Info” in an events detail:
Related to this RAW Log:
Example 1:
You can query on the basic data above using “Data JSON”.
Example 2:
This is how you get at the “Packet Param” data below the Syslog Data:
Example 3:
If you just want a specific “EventID” you can do this:
Comments