I think it could be this. How can I get ossec to interpret the timestamp properly?
On Wednesday, October 30, 2013 6:20:51 AM UTC-4, Jared wrote: > > I see this in my environment too when logs are not configured for log > rotation properly. Every time the agent is restarted and reads the log, I > get events for all of the entries that are in the log file. It has taken a > lot of work with native application log rotation as well as logrotate to > normalize the custom and cots logs. I would check the source log file and > make sure that it is being rotated regularly. > > Also, if the logs timestamp is not interpreted by OSSEC and is just > matching to a search string (like "php" or "WARNING"), then OSSEC will send > you the event and you will see the time stamp that is in log file. > > Here is an example from this morning: > > > OSSEC HIDS Notification. > 2013 Oct 30 09:51:48 > > Received From: (prod-storage02) X.X.X.X->/data/Files/1/log/term.log > Rule: 105005 fired (level 10) -> "ossec: omitted" > Portion of the log(s): > > [2013-10-24 19:05:43,608] ===> Error in thread ajp-apr-8009-exec-198 at > 10/24/2013 07:05 PM > > > > --END OF NOTIFICATION > > > Log time is from the 24th at 5:24 am, but the event was received on the > 30th at 9:51 AM. > > Last thing to check would be the time of the agent vs. the time of the > server. I would try to set them both to be the same or use UTC for > everything. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
