Hello all, I am trying to monitor a device via its syslog output. The problem is that the device uses a non-standard timestamp in that it outputs the year as part of the timestamp, like so:
Jun 9 12:45:32 2011 [192.168.64.34] prognamed[434]: message here instead of: Jun 9 12:45:32 192.168.64.34 prognamed: message here ossec assumes the year (2011 in this case) is the hostname, not part of the timestamp. Of course this makes it difficult to write decent rules. Since I cannot change how the device writes timestamps I am wondering if there is any way short of modifying the code for ossec to change the way predecoders parse these messages. Any ideas? Thanks. --Matt
