I see this in my environment too when logs are not configured for log rotation properly. Every time the agent is restarted and reads the log, I get events for all of the entries that are in the log file. It has taken a lot of work with native application log rotation as well as logrotate to normalize the custom and cots logs. I would check the source log file and make sure that it is being rotated regularly.
Also, if the logs timestamp is not interpreted by OSSEC and is just matching to a search string (like "php" or "WARNING"), then OSSEC will send you the event and you will see the time stamp that is in log file. Here is an example from this morning: OSSEC HIDS Notification. 2013 Oct 30 09:51:48 Received From: (prod-storage02) X.X.X.X->/data/Files/1/log/term.log Rule: 105005 fired (level 10) -> "ossec: omitted" Portion of the log(s): [2013-10-24 19:05:43,608] ===> Error in thread ajp-apr-8009-exec-198 at 10/24/2013 07:05 PM --END OF NOTIFICATION Log time is from the 24th at 5:24 am, but the event was received on the 30th at 9:51 AM. Last thing to check would be the time of the agent vs. the time of the server. I would try to set them both to be the same or use UTC for everything. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
