I upgraded to Ossec 2.6. I'm using logtest, but can't seem get the simplest
example from the documentation to work. Why is "program_name" null? I was
expecting "sshd".
[root@athens ossec]# ./ossec-logtest
2012/07/18 01:00:50 ossec-testrule: INFO: Reading local decoder file.
2012/07/18 01:00:50 ossec-testrule: INFO: Started (pid: 19099).
ossec-testrule: Type one log per line.
Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from
192.168.2.10 port 35259 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password
for dcid from 192.168.2.10 port 35259 ssh2'
hostname: 'athens'
program_name: '(null)'
log: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid
from 192.168.2.10 port 35259 ssh2'
**Phase 2: Completed decoding.
No decoder matched.
--
Gil Vidals
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.
