I don't understand how that's such a problem; or at least why it's a problem to at least merely include the original timestamps. I'm trying to use OSSEC in conjunction with Logstash, and am using Logstash to parse out the timestamp. When pulling Windows event logs, OSSEC doesn't even appear to bother to include the timestamp of the original event log. Why not?? If that data was at least *included* in the message then I could work with it.
On Wednesday, August 15, 2012 3:53:43 PM UTC-7, Daniel Cid wrote: > > Yes, we could do some interesting rules there :) > > The issue is that OSSEC stores the alerts in a sequential mode and it > wouldn't be able > to go back in time and store the alerts on the proper position based > on the log time. Plus, > it would be a big mess if servers are on a different timezone or do > not have the times in sync... > > thanks, > > -- > Daniel B. Cid > http://dcid.me > > > > On Wed, Aug 15, 2012 at 3:51 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Wed, Aug 15, 2012 at 2:45 PM, Kat <[email protected] <javascript:>> > wrote: > >> Is there a way to tell OSSEC to use the timestamp of the actual logfile > >> entry rather than its own "internal timestamp of when it sees the > alert"? > >> > >> This should be a configuration option - *hint hint* > >> > >> Unless there is already a way to do this. > >> > >> thanks > >> K > > > > There's currently no way to do this, and I don't see it happening. > > > > Although, I do want to see OSSEC taking the event's timestamp into > > account, and possibly send an additional alert for strange timestamps > > (old events, predictions of future events, etc). >
