Hello,
I have a question about changing the date format in alerts.log if possible.
At the moment, I get this as an alert:
** Alert 1484784302.1529: - pam,syslog,
*2017* Jan 19 00:05:02 ossec-15->/var/log/secure
Rule: 5502 (level 3) -> 'Login session closed.'
Jan 00:005:02 ossec-15 su: pam_unix(su-l:session): session closed for user
ec2-user
I have tested an upgrade to 2.9 so we could have a log in json which is our
standard (please note that it's not the identical alert but one of the same
type):
{"rule":{"level":3,"comment":"Login session
closed.","sidid":5502,"firedtimes":2,"groups":["pam","syslog"],"PCI_DSS":["10.2.5"]},"full_log":"Jan
19 13:20:07 ossec-15 su: pam_unix(su-l:session): session closed for user
ec2-user","program_name":"su","decoder":{"name":"pam"},"hostname":"ossec-15","timestamp":"
*2017* Jan 19 13:20:08","location":"/var/log/secure"}
We use filebeat to read alerts.json, filebeat sends to
logstash/elasticsearch/kibana.
My problem is the year (2017) that's added to the beginning of the
timestamp field in the json log (which is added in the alerts.log as well).
The logstash configuration we have written can't handle that. I know that
we could rewrite the logstash configuration but would rather change closer
to the source.
Is this something that can be done in a decoder? Sorry for not RTFM but
hoping someone can help before I start trawling through the documentation.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
