On Tue, 12 Jul 2011 17:52:23 -0700, Jeremy Lee wrote:
Apparently, the hostname and program_name are reversed because OSSEC is expecting it the other way. Is there a way to force OSSEC to recognize program_name ahead of hostname in the decoder? Or does someone know of a way to change the syslog format in SEP? :)
This doesn't surprise me with SEP. The reports don't work right, either.
In instances where the log format is not RFC-compliant, you can consider them text strings. Just write your decoder starting from the beginning of the line. You won't be able to use program_name, but you can extract the other relevant deals. Another option is to look at the Windows Application Log for the events if the same events are recorded.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
