Oops, the program_name: 'myhostname' should be program_name: 'irprinfsec7' On Tue, Jul 12, 2011 at 5:28 PM, jplee3 <[email protected]> wrote:
> Hey all, > > So I'm working on a decoder for SEP logs (if someone has come up with > one already, feel free to share!) and I noticed that the format is as > such: > > Jun 6 09:20:26 SymantecServer irprinfsec7: Virus found... > > > > Ossec-logtest yields this response: > > **Phase 1: Completed pre-decoding. > full event: 'Jun 6 09:20:26 SymantecServer irprinfsec7: Virus > found,' > hostname: 'SymantecServer' > program_name: 'myhostname' > log: 'Virus found,' > > > Apparently, the hostname and program_name are reversed because OSSEC > is expecting it the other way. Is there a way to force OSSEC to > recognize program_name ahead of hostname in the decoder? Or does > someone know of a way to change the syslog format in SEP? :) > > The SEP logs sure are noisy btw... I still need to go through and cut > down the ones that are just spewing out noise. It's hard to tell > what's important and what's not though. > > > Anyway, if anyone has input, it would be greatly appreciated.
