Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)?
On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley <[email protected]> wrote: > I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and > the problem went away. > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Alexander Rikmanis > Sent: Tuesday, September 13, 2011 8:28 PM > To: ossec-list > Subject: [ossec-list] ossec-wui BUG > > Log files are parsed incorrectly. > here is the raw log file from ossec and what wui shows to me: > ---------------------------------------------------------------------------------------------- > WUI: > 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 > Location: (manager) aa.bb.cc.dd->/var/log/secure Src IP: 8:10:14 takapu > sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) > ^^^^^^^^^^^^^^^^^^^^^^^^ Login session opened. > ** Alert 1315951847.1022810: - pam,syslog,authentication_success, > 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user > root by sw(uid=1001) > ------------------------------------------------------------------------- > Raw log: > ** Alert 1315951813.1022534: - pam,syslog,authentication_success, > 2011 Sep 14 10:10:13 (manager) 67.225.152.209->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened > for user sw by (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Look at "Src IP" > field - there is a date there. And the first symbol is gone. > > here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG] >
