Date format in alerts.log (and alerts.json)

[Marianne Härdh]

Hello,

I have a question about changing the date format in alerts.log if possible. At the moment, I get this as an alert:

** Alert 1484784302.1529: - pam,syslog,

2017 Jan 19 00:05:02 ossec-15->/var/log/secure

Rule: 5502 (level 3) -> 'Login session closed.'

Jan 00:005:02 ossec-15 su: pam_unix(su-l:session): session closed for user ec2-user

I have tested an upgrade to 2.9 so we could have a log in json which is our standard (please note that it's not the identical alert but one of the same type):

{"rule":{"level":3,"comment":"Login session closed.","sidid":5502,"firedtimes":2,"groups":["pam","syslog"],"PCI_DSS":["10.2.5"]},"full_log":"Jan 19 13:20:07 ossec-15 su: pam_unix(su-l:session): session closed for user ec2-user","program_name":"su","decoder":{"name":"pam"},"hostname":"ossec-15","timestamp":"2017 Jan 19 13:20:08","location":"/var/log/secure"}

We use filebeat to read alerts.json, filebeat sends to logstash/elasticsearch/kibana.

My problem is the year (2017) that's added to the beginning of the timestamp field in the json log (which is added in the alerts.log as well). The logstash configuration we have written can't handle that. I know that we could rewrite the logstash configuration but would rather change closer to the source.

Is this something that can be done in a decoder? Sorry for not RTFM but hoping someone can help before I start trawling through the documentation.

[dan (ddp)]

I believe you'll have to modify the OSSEC source, both analysisd's
output and any log reader's input.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.