Hi, this problem is not new to me and I mainly ignore it but now I thought to tackle it again since I moved to a new server and installed ossec-server using the atomicorp debian packages.
I have a fairly default use case and have a ossec server with one agent attached to it. I also have active response enabled using the default scripts. This is all working. Where I have a problem is the active response logfile. In particular the way time and date is logged to the file. I installed ossec on this server on Feb 16 and the format is as I expected: Sat Feb 16 14:11:29 CET 2019 /var/ossec/active-response/... But after upgrading the server from debian stable to testing the output changed: Sat Apr 6 12:19:14 CEST 2019 /var/ossec/active-response/... Sat 06 Apr 2019 12:39:54 PM CEST /var/ossec/active-response/... I just noticed this now and I looked up the locale configuration for root and it was set to en_US.UTF-8 which is not what I want. So I changed the default system locale to C.UTF-8. After restarting ossec the output of the ar scripts hasn't changed. I logged out and logged in as root again to verify that the date output is as I want and yes it is: Fri Apr 19 19:38:34 CEST 2019 So my question is where does the process that triggers active response gets its locale from? How can I change that so I get a 24h time format not the AM/PM format. Normally I would ignore it but I have a script that gathers the number of active responses for a given time period and it needs to parse the date and time from the logfile reliably. Regards Christian -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
