On Thu, Jan 9, 2014 at 8:28 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jan 8, 2014 at 4:51 PM, Carl Hilinski <[email protected]> wrote: >> The times are the same in /var/ossec/logs/alerts/alert.log for each line. >> For example: >> ** Alert 1389217620.124036: - pam,syslog,authentication_success, >> 2014 Jan 08 16:47:00 SRV-LOG-03->/var/log/secure >> Rule: 5501 (level 3) -> 'Login session opened.' >> Jan 8 16:46:59 SRV-LOG-03 sshd[11292]: pam_unix(sshd:session): session >> opened for user ttttt by (uid=0) >> >> This shows up in the webui as 2014 Jan 8 21:47 >> >> The last line of the timezone file is EST5EDT,M3.2.0,M11.1.0 and I'm U.S. >> Eastern time. >> > > Is /etc/localtime correct? It seems like your system is set to UTC (5 > hours ahead). >
I just checked on my system, and I'm seeing the same behavior. Perhaps the wui converts everything to UTC? >> On Monday, January 6, 2014 1:28:26 PM UTC-5, Carl Hilinski wrote: >>> >>> When I look in the web ui (beta .8) for Ossec, I see two issues. One is >>> that the time is wrong: >>> 3 - SSHD authentication success. 2014 Jan 06 18:16:00 >>> Rule Id: >>> 5715 >>> Location: >>> plato.hes.hmc.psu.edu->/var/log/messages >>> Src IP: >>> x.x.x.x >>> Jan 6 13:17:32 plato.hes.hmc.psu.edu sshd[22493]: [ID 800047 auth.info] >>> Accepted keyboard-interactive for oracle from x.x.x.x port 62671 ssh2 >>> >>> >>> It's off by seven hours. The line that read 2014 Jan 06 18:16:00 should be >>> 2014 Jan 06 01:16:00. Note that the time is correct in the actual log. All >>> of the system/clock settings are correct on this redhat 6.4 machine. It >>> appears to be a timezone issue...is that set somewhere special? >>> >>> Second, not all of the agents are listed in the area of the webui window >>> that lists the connected machines. While a couple are not listed there, they >>> will have activity listed in the Latest Events window. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
