Either use 'July 04' format, or add an extra space after 'July ' and it can be decoded correctly. - - - Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2
On Thursday, May 2, 2013 7:14:19 PM UTC-7, Giovanni P wrote: > > Hi all, > > I am using "OSSEC HIDS v2.7 - Trend Micro Inc." in local mode. > > I forward logs via syslog to OSSEC from ~20 servers. All working fine, but > today I noticed a (bug?) problem in the pre-decoding phase of the log > analysis. > > This is the output of logtest on some SSHd example log: > > *Jul 4 09:42:16* enigma sshd[11990]: Accepted password for dcid from >> 192.168.2.10 port 35259 ssh2 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password >> for dcid from 192.168.2.10 port 35259 ssh2' >> hostname: 'myossechost' >> *program_name: '(null)'* >> log: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for >> dcid from 192.168.2.10 port 35259 ssh2' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> > And second version is: > > *Jul 04 09:42:16* enigma sshd[11990]: Accepted password for dcid from >> 192.168.2.10 port 35259 ssh2 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jul 04 09:42:16 enigma sshd[11990]: Accepted password for >> dcid from 192.168.2.10 port 35259 ssh2' >> hostname: 'enigma' >> *program_name: 'sshd'* >> log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> dstuser: 'dcid' >> srcip: '192.168.2.10' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5715' >> Level: '3' >> Description: 'SSHD authentication success.' >> **Alert to be generated. >> > > The time stamp is different, the first log is missing a digit into the day > number. Of course this issue is valid for all the logs and prevent the > rules relying on <program_name> to works (there are quite a lot). > Do you guys identified this issue, or is just my misconfiguration? (I know > that I can change it on rsyslogd templates, I was just wondering if there > is already a fix or something is in progress.) > > > - Giovanni > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
