Hey all,
So I'm working on a decoder for SEP logs (if someone has come up with
one already, feel free to share!) and I noticed that the format is as
such:
Jun 6 09:20:26 SymantecServer irprinfsec7: Virus found...
Ossec-logtest yields this response:
**Phase 1: Completed pre-decoding.
full event: 'Jun 6 09:20:26 SymantecServer irprinfsec7: Virus
found,'
hostname: 'SymantecServer'
program_name: 'myhostname'
log: 'Virus found,'
Apparently, the hostname and program_name are reversed because OSSEC
is expecting it the other way. Is there a way to force OSSEC to
recognize program_name ahead of hostname in the decoder? Or does
someone know of a way to change the syslog format in SEP? :)
The SEP logs sure are noisy btw... I still need to go through and cut
down the ones that are just spewing out noise. It's hard to tell
what's important and what's not though.
Anyway, if anyone has input, it would be greatly appreciated.
