Then it will probably require source code change. Having variable length date string is going to make the logic more complex. Anyone wants to try?
On Monday, May 6, 2013 8:57:58 PM UTC-7, Giovanni P wrote: > > But I cannot change it, it's a log automatically generated from the > application. > > On Tuesday, 7 May 2013 08:50:00 UTC+10, Jb Cheng wrote: >> >> Either use 'July 04' format, or add an extra space after 'July ' and it >> can be decoded correctly. >> - - - >> Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from >> 192.168.2.10 port 35259 ssh2 >> >> >> On Thursday, May 2, 2013 7:14:19 PM UTC-7, Giovanni P wrote: >>> >>> Hi all, >>> >>> I am using "OSSEC HIDS v2.7 - Trend Micro Inc." in local mode. >>> >>> I forward logs via syslog to OSSEC from ~20 servers. All working fine, >>> but today I noticed a (bug?) problem in the pre-decoding phase of the log >>> analysis. >>> >>> This is the output of logtest on some SSHd example log: >>> >>> *Jul 4 09:42:16* enigma sshd[11990]: Accepted password for dcid from >>>> 192.168.2.10 port 35259 ssh2 >>>> >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted >>>> password for dcid from 192.168.2.10 port 35259 ssh2' >>>> hostname: 'myossechost' >>>> *program_name: '(null)'* >>>> log: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for >>>> dcid from 192.168.2.10 port 35259 ssh2' >>>> >>>> **Phase 2: Completed decoding. >>>> No decoder matched. >>>> >>> And second version is: >>> >>> *Jul 04 09:42:16* enigma sshd[11990]: Accepted password for dcid from >>>> 192.168.2.10 port 35259 ssh2 >>>> >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Jul 04 09:42:16 enigma sshd[11990]: Accepted password for >>>> dcid from 192.168.2.10 port 35259 ssh2' >>>> hostname: 'enigma' >>>> *program_name: 'sshd'* >>>> log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'sshd' >>>> dstuser: 'dcid' >>>> srcip: '192.168.2.10' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '5715' >>>> Level: '3' >>>> Description: 'SSHD authentication success.' >>>> **Alert to be generated. >>>> >>> >>> The time stamp is different, the first log is missing a digit into the >>> day number. Of course this issue is valid for all the logs and prevent the >>> rules relying on <program_name> to works (there are quite a lot). >>> Do you guys identified this issue, or is just my misconfiguration? (I >>> know that I can change it on rsyslogd templates, I was just wondering if >>> there is already a fix or something is in progress.) >>> >>> >>> - Giovanni >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
