I would start off with the log rotation as the first step. Unless your application is generating events in the past, I believe that this will fix most of your issues. I still have not been able to get the change order approved for the server referenced below, but when I look at other similar serves with proper log rotation, I never get old messages like the one below.
I am not really sure how OSSEC keeps track of time or how it keeps from sending old messages / duplicates or if it uses the time string in the event at all. Jared On Wed, Oct 30, 2013 at 10:59 AM, Gabriel Holder <[email protected]>wrote: > I think it could be this. > How can I get ossec to interpret the timestamp properly? > > > > On Wednesday, October 30, 2013 6:20:51 AM UTC-4, Jared wrote: >> >> I see this in my environment too when logs are not configured for log >> rotation properly. Every time the agent is restarted and reads the log, I >> get events for all of the entries that are in the log file. It has taken a >> lot of work with native application log rotation as well as logrotate to >> normalize the custom and cots logs. I would check the source log file and >> make sure that it is being rotated regularly. >> >> Also, if the logs timestamp is not interpreted by OSSEC and is just >> matching to a search string (like "php" or "WARNING"), then OSSEC will send >> you the event and you will see the time stamp that is in log file. >> >> Here is an example from this morning: >> >> >> OSSEC HIDS Notification. >> 2013 Oct 30 09:51:48 >> >> Received From: (prod-storage02) X.X.X.X->/data/Files/1/log/**term.log >> Rule: 105005 fired (level 10) -> "ossec: omitted" >> Portion of the log(s): >> >> [2013-10-24 19:05:43,608] ===> Error in thread ajp-apr-8009-exec-198 at >> 10/24/2013 07:05 PM >> >> >> >> --END OF NOTIFICATION >> >> >> Log time is from the 24th at 5:24 am, but the event was received on the >> 30th at 9:51 AM. >> >> Last thing to check would be the time of the agent vs. the time of the >> server. I would try to set them both to be the same or use UTC for >> everything. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
