From fb43956a9923d3fa3d5da2df92006f6d3e123919 Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Wed, 12 Jul 2023 17:19:42 -0300 Subject: [PATCH 1/3] Add discard_regex parameter to Services --- .../reference/ossec-conf/wodle-s3.rst | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-s3.rst b/source/user-manual/reference/ossec-conf/wodle-s3.rst index 4a8807f1fb..024a7c6da0 100644 --- a/source/user-manual/reference/ossec-conf/wodle-s3.rst +++ b/source/user-manual/reference/ossec-conf/wodle-s3.rst @@ -368,7 +368,7 @@ Name of AWS organization. Only works with CloudTrail buckets. discard_regex ^^^^^^^^^^^^^ -A regex value to determine if an event should be discarded. It requires a `field` attribute used to specify the field of the event where the regex should be applied. +A regex value to determine if an event should be discarded. It requires a mandatory `field` attribute used to specify the field of the event where the regex should be applied. +--------------------+----------------------------------------+ | **Default value** | N/A | @@ -462,6 +462,8 @@ The available types are: ``cloudwatchlogs``, and ``inspector``. +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`service_aws_profile` | Valid profile name | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ +| :ref:`service_discard_regex` | A regex value to determine if an event should be discarded | Optional | ++----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`service_iam_role_arn` | Valid role ARN | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`service_iam_role_duration` | Number of seconds between 900 and 3600 | Optional (if set, it requires an iam_role_arn | @@ -558,6 +560,43 @@ A valid profile name from a Shared Credential File or AWS Config File with the p | **Allowed values** | Valid profile name | +--------------------+--------------------+ +.. _service_discard_regex: + +discard_regex +^^^^^^^^^^^^^ + +A regex value to determine if an event should be discarded. +For ``inspector``, requires a mandatory `field` attribute used to specify the field of the event where the regex should be applied. +In the case of ``cloudwatchlogs``, the `field` attribute can be ommited since the logs can be plain text or JSON format. + ++--------------------+----------------------------------------+ +| **Default value** | N/A | ++--------------------+----------------------------------------+ +| **Allowed values** | Any regex or sregex expression | ++--------------------+----------------------------------------+ + +Attributes: + ++-----------+------------------------------------------------------------------------------------------------------+ +| **field** | The event's field on which the regex should be applied to determine if the event should be skipped | +| +------------------+-----------------------------------------------------------------------------------+ +| | Default value | N/A | +| +------------------+-----------------------------------------------------------------------------------+ +| | Allowed values | A str containing the full field name path | ++-----------+------------------+-----------------------------------------------------------------------------------+ + +Usage examples: + +.. code-block:: console + + REJECT + +- Only available for ``cloudwatchlogs``: + +.. code-block:: console + + .*Log:.* + .. _service_iam_role_arn: iam_role_arn From e7e3ab3de20e0a3af11e457bde6a73100749ac5c Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Mon, 17 Jul 2023 15:46:20 -0300 Subject: [PATCH 2/3] Apply changes from review --- .../reference/ossec-conf/wodle-s3.rst | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-s3.rst b/source/user-manual/reference/ossec-conf/wodle-s3.rst index 024a7c6da0..dc17e1920c 100644 --- a/source/user-manual/reference/ossec-conf/wodle-s3.rst +++ b/source/user-manual/reference/ossec-conf/wodle-s3.rst @@ -178,7 +178,7 @@ The available types are: ``cloudtrail``, ``guardduty``, ``vpcflow``, ``config`` +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`bucket_aws_organization_id` | Name of AWS organization | Optional (only works with CloudTrail buckets) | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ -| :ref:`bucket_discard_regex` | A regex value to determine if an event should be discarded | Optional | +| :ref:`bucket_discard_regex` | A regex to determine if an event must be discarded | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`bucket_remove_from_bucket` | A value to determine if each log file is deleted once it | Optional | | | has been collected by the module | | @@ -368,7 +368,7 @@ Name of AWS organization. Only works with CloudTrail buckets. discard_regex ^^^^^^^^^^^^^ -A regex value to determine if an event should be discarded. It requires a mandatory `field` attribute used to specify the field of the event where the regex should be applied. +A regular expression to determine if an event must be discarded. It requires a mandatory ``field`` attribute. The regex is applied to the event field specified with this attribute. +--------------------+----------------------------------------+ | **Default value** | N/A | @@ -379,7 +379,7 @@ A regex value to determine if an event should be discarded. It requires a mandat Attributes: +-----------+------------------------------------------------------------------------------------------------------+ -| **field** | The event's field on which the regex should be applied to determine if the event should be skipped | +| **field** | The event field where to apply the regex. | | +------------------+-----------------------------------------------------------------------------------+ | | Default value | N/A | | +------------------+-----------------------------------------------------------------------------------+ @@ -462,7 +462,7 @@ The available types are: ``cloudwatchlogs``, and ``inspector``. +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`service_aws_profile` | Valid profile name | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ -| :ref:`service_discard_regex` | A regex value to determine if an event should be discarded | Optional | +| :ref:`service_discard_regex` | A regex to determine if an event must be discarded | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ | :ref:`service_iam_role_arn` | Valid role ARN | Optional | +----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+ @@ -565,9 +565,10 @@ A valid profile name from a Shared Credential File or AWS Config File with the p discard_regex ^^^^^^^^^^^^^ -A regex value to determine if an event should be discarded. -For ``inspector``, requires a mandatory `field` attribute used to specify the field of the event where the regex should be applied. -In the case of ``cloudwatchlogs``, the `field` attribute can be ommited since the logs can be plain text or JSON format. +A regular expression to determine if an event must be discarded. + +- For ``inspector``, it requires a mandatory ``field`` attribute. The regex is applied to the event field specified with this attribute. +- For ``cloudwatchlogs``, the ``field`` attribute is optional. You can ommit it, for example, when monitoring Cloudwatch logs in JSON format and plain text. +--------------------+----------------------------------------+ | **Default value** | N/A | @@ -578,20 +579,20 @@ In the case of ``cloudwatchlogs``, the `field` attribute can be ommited since th Attributes: +-----------+------------------------------------------------------------------------------------------------------+ -| **field** | The event's field on which the regex should be applied to determine if the event should be skipped | +| **field** | The event field where to apply the regex | | +------------------+-----------------------------------------------------------------------------------+ | | Default value | N/A | | +------------------+-----------------------------------------------------------------------------------+ | | Allowed values | A str containing the full field name path | +-----------+------------------+-----------------------------------------------------------------------------------+ -Usage examples: +Usage example: .. code-block:: console REJECT - -- Only available for ``cloudwatchlogs``: + +Usage example only for ``cloudwatchlogs``: .. code-block:: console From d2e33053386d71765fe44c50dba65dbd6f4f45bc Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Tue, 18 Jul 2023 10:06:40 -0300 Subject: [PATCH 3/3] Update source/user-manual/reference/ossec-conf/wodle-s3.rst --- source/user-manual/reference/ossec-conf/wodle-s3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-s3.rst b/source/user-manual/reference/ossec-conf/wodle-s3.rst index dc17e1920c..cd8a3843ad 100644 --- a/source/user-manual/reference/ossec-conf/wodle-s3.rst +++ b/source/user-manual/reference/ossec-conf/wodle-s3.rst @@ -568,7 +568,7 @@ discard_regex A regular expression to determine if an event must be discarded. - For ``inspector``, it requires a mandatory ``field`` attribute. The regex is applied to the event field specified with this attribute. -- For ``cloudwatchlogs``, the ``field`` attribute is optional. You can ommit it, for example, when monitoring Cloudwatch logs in JSON format and plain text. +- For ``cloudwatchlogs``, the ``field`` attribute is optional. You can omit it, for example, when monitoring Cloudwatch logs in JSON format and plain text. +--------------------+----------------------------------------+ | **Default value** | N/A |