Hi all, I am using "OSSEC HIDS v2.7 - Trend Micro Inc." in local mode.
I forward logs via syslog to OSSEC from ~20 servers. All working fine, but today I noticed a (bug?) problem in the pre-decoding phase of the log analysis. This is the output of logtest on some SSHd example log: *Jul 4 09:42:16* enigma sshd[11990]: Accepted password for dcid from > 192.168.2.10 port 35259 ssh2 > > > **Phase 1: Completed pre-decoding. > full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password > for dcid from 192.168.2.10 port 35259 ssh2' > hostname: 'myossechost' > *program_name: '(null)'* > log: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid > from 192.168.2.10 port 35259 ssh2' > > **Phase 2: Completed decoding. > No decoder matched. > And second version is: *Jul 04 09:42:16* enigma sshd[11990]: Accepted password for dcid from > 192.168.2.10 port 35259 ssh2 > > > **Phase 1: Completed pre-decoding. > full event: 'Jul 04 09:42:16 enigma sshd[11990]: Accepted password for > dcid from 192.168.2.10 port 35259 ssh2' > hostname: 'enigma' > *program_name: 'sshd'* > log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > dstuser: 'dcid' > srcip: '192.168.2.10' > > **Phase 3: Completed filtering (rules). > Rule id: '5715' > Level: '3' > Description: 'SSHD authentication success.' > **Alert to be generated. > The time stamp is different, the first log is missing a digit into the day number. Of course this issue is valid for all the logs and prevent the rules relying on <program_name> to works (there are quite a lot). Do you guys identified this issue, or is just my misconfiguration? (I know that I can change it on rsyslogd templates, I was just wondering if there is already a fix or something is in progress.) - Giovanni -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
