Ok, it seems i can answer this now. After digging through the ossec-source it was confirmed, that ossec-logtest uses the current time as alert-time. This is absolutely correct.
Having the sourcecode (thank ossec-devs), i had the chance to modify ossec-logtest to fetch the date/time from the logdata and set the alert-time to the appropriate value and feed it to splunk. Regards, Thomas -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.