Log data analysis

Pre-decoding

In the pre-decoding phase, the log analysis engine extracts syslog-like information such as timestamp, hostname, and program name from the log header.

Extracted information:

timestamp: 'Feb 14 12:19:04'
hostname: '192.168.1.1'
program_name: 'sshd'

Decoding

In the decoding phase, the log analysis engine looks for a decoder that matches the sample log. The decoders below match the sample log. These decoders are in the /var/ossec/rulesets/decoders/0310-ssh_decoders.xml file on the ThreatLockDown server:

<decoder name="sshd">
  <program_name>^sshd</program_name>
</decoder>

<decoder name="sshd-success">
  <parent>sshd</parent>
  <prematch>^Accepted</prematch>
  <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port (\S+)</regex>
  <order>user, srcip, srcport</order>
  <fts>name, user, location</fts>
</decoder>

The decoder sshd matches the program name sshd, while the decoder ssh-success extracts Stephen, 192.168.1.133, and 49765 from the sample log.

Extracted information:

dstuser: 'Stephen'
srcip: '192.168.1.133'
srcport: '49765'

To learn more about decoders, see the decoders syntax section.

Rule matching

In this phase, the ThreatLockDown server compares the logs against a ruleset. Rule 5715 matches the sample log. This rule is in the /var/ossec/ruleset/rules/0095-sshd_rules.xml file on the ThreatLockDown server.

<rule id="5715" level="3">
  <if_sid>5700</if_sid>
  <match>^Accepted|authenticated.$</match>
  <description>sshd: authentication success.</description>
  <group>authentication_success,pci_dss_10.2.5,</group>
</rule>

By default, the ThreatLockDown server generates alerts for any rule whose level is above 2. In this scenario, the log triggers an alert because the rule level is 3 and this will be visible on the ThreatLockDown dashboard.

You can create custom decoders and rules to analyze logs that are not supported by default. To learn how to create custom rules and decoders, refer to custom rules and decoders.