-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 12, 2011, at 8:28 PM, jplee3 wrote: > Apparently, the hostname and program_name are reversed because OSSEC > is expecting it the other way. Is there a way to force OSSEC to > recognize program_name ahead of hostname in the decoder? Or does > someone know of a way to change the syslog format in SEP? :)
It would appear OSSEC is reading it that way because it looks like a standard syslog message, albeit backwards.. This seems like something that symantec should fix. Since it's the pre-decoder that's picking this up, I'm not sure there is a way for OSSEC to fix this unless you write a new pre-decoder, which is a compiled resource, I believe. - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk4kULIACgkQ8CjzPZyTUTSRIACfXuvULguBGg+UI3Yxcz5FyPxd 048AnihyPVQcU+i3V0r5e71gHYOFPXge =Vuqw -----END PGP SIGNATURE-----
