On Wed, Oct 30, 2013 at 10:59 AM, Gabriel Holder <[email protected]> wrote: > I think it could be this. > How can I get ossec to interpret the timestamp properly? >
OSSEC ignores the timestamp. The key is to make sure the file is rotated and written to properly. > > > On Wednesday, October 30, 2013 6:20:51 AM UTC-4, Jared wrote: >> >> I see this in my environment too when logs are not configured for log >> rotation properly. Every time the agent is restarted and reads the log, I >> get events for all of the entries that are in the log file. It has taken a >> lot of work with native application log rotation as well as logrotate to >> normalize the custom and cots logs. I would check the source log file and >> make sure that it is being rotated regularly. >> >> Also, if the logs timestamp is not interpreted by OSSEC and is just >> matching to a search string (like "php" or "WARNING"), then OSSEC will send >> you the event and you will see the time stamp that is in log file. >> >> Here is an example from this morning: >> >> >> OSSEC HIDS Notification. >> 2013 Oct 30 09:51:48 >> >> Received From: (prod-storage02) X.X.X.X->/data/Files/1/log/term.log >> Rule: 105005 fired (level 10) -> "ossec: omitted" >> Portion of the log(s): >> >> [2013-10-24 19:05:43,608] ===> Error in thread ajp-apr-8009-exec-198 at >> 10/24/2013 07:05 PM >> >> >> >> --END OF NOTIFICATION >> >> >> Log time is from the 24th at 5:24 am, but the event was received on the >> 30th at 9:51 AM. >> >> Last thing to check would be the time of the agent vs. the time of the >> server. I would try to set them both to be the same or use UTC for >> everything. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
