On Wed, Jan 8, 2014 at 4:51 PM, Carl Hilinski <[email protected]> wrote:
> The times are the same in /var/ossec/logs/alerts/alert.log for each line.
> For example:
> ** Alert 1389217620.124036: - pam,syslog,authentication_success,
> 2014 Jan 08 16:47:00 SRV-LOG-03->/var/log/secure
> Rule: 5501 (level 3) -> 'Login session opened.'
> Jan  8 16:46:59 SRV-LOG-03 sshd[11292]: pam_unix(sshd:session): session
> opened for user ttttt by (uid=0)
>
> This shows up in the webui as 2014 Jan 8 21:47
>
> The last line of the timezone file is EST5EDT,M3.2.0,M11.1.0 and I'm U.S.
> Eastern time.
>

Is /etc/localtime correct? It seems like your system is set to UTC (5
hours ahead).

> On Monday, January 6, 2014 1:28:26 PM UTC-5, Carl Hilinski wrote:
>>
>> When I look in the web ui (beta .8) for Ossec, I see two issues. One is
>> that the time is wrong:
>> 3 - SSHD authentication success.    2014 Jan 06 18:16:00
>> Rule Id:
>> 5715
>> Location:
>> plato.hes.hmc.psu.edu->/var/log/messages
>> Src IP:
>> x.x.x.x
>> Jan 6 13:17:32 plato.hes.hmc.psu.edu sshd[22493]: [ID 800047 auth.info]
>> Accepted keyboard-interactive for oracle from x.x.x.x port 62671 ssh2
>>
>>
>> It's off by seven hours. The line that read 2014 Jan 06 18:16:00 should be
>> 2014 Jan 06 01:16:00. Note that the time is correct in the actual log. All
>> of the system/clock settings are  correct on this redhat 6.4 machine. It
>> appears to be a timezone issue...is that set somewhere special?
>>
>> Second, not all of the agents are listed in the area of the webui window
>> that lists the connected machines. While a couple are not listed there, they
>> will have activity listed in the Latest Events window.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to