Unless that format is added to ossec, the best option might be to <prematch>prognamed</prematch>.
On Thu, Jun 9, 2011 at 5:03 PM, Matt <[email protected]> wrote: > Hello all, > > I am trying to monitor a device via its syslog output. The problem is > that the device uses a non-standard timestamp in that it outputs the > year as part of the timestamp, like so: > > Jun 9 12:45:32 2011 [192.168.64.34] prognamed[434]: message here > > instead of: > > Jun 9 12:45:32 192.168.64.34 prognamed: message here > > ossec assumes the year (2011 in this case) is the hostname, not part > of the timestamp. Of course this makes it difficult to write decent > rules. Since I cannot change how the device writes timestamps I am > wondering if there is any way short of modifying the code for ossec to > change the way predecoders parse these messages. Any ideas? Thanks. > > --Matt
