Hi all,

I am using "OSSEC HIDS v2.7 - Trend Micro Inc." in local mode.

I forward logs via syslog to OSSEC from ~20 servers. All working fine, but 
today I noticed a (bug?) problem in the pre-decoding phase of the log 
analysis.

This is the output of logtest on some SSHd example log:

*Jul 4 09:42:16* enigma sshd[11990]: Accepted password for dcid from 
> 192.168.2.10 port 35259 ssh2
>
>
> **Phase 1: Completed pre-decoding.
>        full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password 
> for dcid from 192.168.2.10 port 35259 ssh2'
>        hostname: 'myossechost'
>        *program_name: '(null)'*
>        log: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid 
> from 192.168.2.10 port 35259 ssh2'
>
> **Phase 2: Completed decoding.
>        No decoder matched.
>
And second version is:

*Jul 04 09:42:16* enigma sshd[11990]: Accepted password for dcid from 
> 192.168.2.10 port 35259 ssh2
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Jul 04 09:42:16 enigma sshd[11990]: Accepted password for 
> dcid from 192.168.2.10 port 35259 ssh2'
> hostname: 'enigma'
> *program_name: 'sshd'*
> log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2'
>
> **Phase 2: Completed decoding.
> decoder: 'sshd'
> dstuser: 'dcid'
> srcip: '192.168.2.10'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '5715'
> Level: '3'
> Description: 'SSHD authentication success.'
> **Alert to be generated.
>

The time stamp is different, the first log is missing a digit into the day 
number. Of course this issue is valid for all the logs and prevent the 
rules relying on <program_name> to works (there are quite a lot).
Do you guys identified this issue, or is just my misconfiguration? (I know 
that I can change it on rsyslogd templates, I was just wondering if there 
is already a fix or something is in progress.)


- Giovanni

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to