Hi everybody,
I used to build a decoder for parsing my log4j code as shown here: *<decoder name="tomcat-LOG4J-FATAL">* * <prematch>^\d+-\d+-\d+ \d+:\d+:\d+ FATAL </prematch>* * <regex>(\.+)</regex>* * <order>extra_data</order>* *</decoder>* *<decoder name="tomcat-LOG4J-ERROR">* * <prematch>^\d+-\d+-\d+ \d+:\d+:\d+ ERROR </prematch>* * <regex offset="after_prematch">(\.+)</regex>* * <order>extra_data</order>* *</decoder>* When i run ossec-logtest For this example log: *2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger "FATAL" level visible .........................*, it s that ossec parsed it with windows-date-format as shown here : ***Phase 1: Completed pre-decoding.* * full event: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger "FATAL" level visible .........................'* * hostname: 'alienvault'* * program_name: '(null)'* * log: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger "FATAL" level visible .........................'* ***Phase 2: Completed decoding.* * decoder: 'windows-date-format'* * extra_data: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger "FATAL" level visible .........................'* ***Phase 3: Completed filtering (rules).* * Rule id: '2900'* * Level: '0'* * Description: 'Dpkg (Debian Package) log.'* How can we solve this ? Best regards, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
