Hey,
We installed ossec a few months ago, and recently realized we are not
seeing many alerts on things that should be generating alerts. We are using
OSSEC v3.7.0 on varioius versions of Ubuntu from 20.04 to 24.04. We use the
built-in RSYSLOG_SyslogProtocol23Format for our logs. Unfortunately, OSSEC
doesn't seem quite able to parse it correctly.
For example:
*<78>1 2024-12-05T11:34:16.945687-07:00 someserver crontab 84972 - -
(root) REPLACE (root)*
This creates the following output in the logtest:
***Phase 1: Completed pre-decoding. full event: '<78>1
2024-12-05T11:34:16.945687-07:00 someserver crontab 84972 - - (root)
REPLACE (root)' hostname: 'someserver' program_name: '(null)'
log: '<78>1 2024-12-05T11:34:16.945687-07:00 someserver crontab 84972
- - (root) REPLACE (root)'**Phase 2: Completed decoding. No decoder
matched.*
I presume that since it can't distinguish the program_name, that the rules
that would catch an update to the crontab are not able to fire. In fact, I
think that many of the syslog rules will never fire until we can figure out
how to help it figure out the program name.
Unfortunately, in all of my googling, and research, I have not been able to
figure out how teach it to parse this correctly. Nothing I've read (and I
may be looking in the wrong spots) tells me how to configure OSSEC to read
a new log format it doesn't recognize and have it find the program_name.
Any help you can give me would be greatly appreciated. And if for some
reason, this is impossible, maybe some direction as to what formats are
acceptable.
Thanks,
BJ
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/ossec-list/b8f096f2-02a5-4f65-a13d-e137ffda3e96n%40googlegroups.com.
