On Fri, Apr 19, 2019 at 2:34 PM 'Christian Beer' via ossec-list <ossec-list@googlegroups.com> wrote: > > Hi, > > this problem is not new to me and I mainly ignore it but now I thought > to tackle it again since I moved to a new server and installed > ossec-server using the atomicorp debian packages. > > I have a fairly default use case and have a ossec server with one agent > attached to it. I also have active response enabled using the default > scripts. This is all working. Where I have a problem is the active > response logfile. In particular the way time and date is logged to the file. > > I installed ossec on this server on Feb 16 and the format is as I expected: > Sat Feb 16 14:11:29 CET 2019 /var/ossec/active-response/... > > But after upgrading the server from debian stable to testing the output > changed: > Sat Apr 6 12:19:14 CEST 2019 /var/ossec/active-response/... > Sat 06 Apr 2019 12:39:54 PM CEST /var/ossec/active-response/... > > I just noticed this now and I looked up the locale configuration for > root and it was set to en_US.UTF-8 which is not what I want. So I > changed the default system locale to C.UTF-8. After restarting ossec the > output of the ar scripts hasn't changed. I logged out and logged in as > root again to verify that the date output is as I want and yes it is: > Fri Apr 19 19:38:34 CEST 2019 > > So my question is where does the process that triggers active response > gets its locale from? How can I change that so I get a 24h time format > not the AM/PM format. >
No clue. Maybe you have to restart the OSSEC processes after having made that change? > Normally I would ignore it but I have a script that gathers the number > of active responses for a given time period and it needs to parse the > date and time from the logfile reliably. > > Regards > Christian > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
