I'm having trouble predecoding Aruba logs, apparently because they include the year:
Jan 7 10:38:09 2009 [1.1.1.1] sapd[306]: <504180> <ERRS> |AP [email protected] sapd| AM 00:0b:86:b3:77:33: ADHOC network detected with Src 00:16:6f:2e:32:b1, BSSID 02:1b:77:00:3d:3c, ESSID myessid Channel 10 and RSSI 5 Running this through ossec-testrule provides the following output: ossec-testrule: Type one log per line. Jan 7 10:38:09 2009 [1.1.1.1] sapd[306]: <504180> <ERRS> |AP [email protected] sapd| AM 00:0b:86:b3:77:33: ADHOC network detected with Src 00:16:6f:2e:32:b1, BSSID 02:1b:77:00:3d:3c, ESSID myessid Channel 10 and RSSI 5 **Phase 1: Completed pre-decoding. full event: 'Jan 7 10:38:09 2009 [1.1.1.1] sapd[306]: <504180> <ERRS> |AP [email protected] sapd| AM 00:0b:86:b3:77:33: ADHOC network detected with Src 00:16:6f:2e:32:b1, BSSID 02:1b:77:00:3d:3c, ESSID myessid Channel 10 and RSSI 5' hostname: '2009' program_name: '' log: '' **Phase 2: Completed decoding. No decoder matched. Apparently adding the year to the syslog line is non-standard? At any rate, '2009' is being pre-decoded as the hostname. Any thoughts? --Matt
