Speirs47
commented
4 years ago I've got the same issue with message:
2>Aug 19 11:17:33 CEF:0|OSSEC Foundation|OSSEC HIDS|v3.6.0|503|Ossec agent started.|3|dvc=nrv02 classification= ossec, msg=ossec: Agent started: 'norm16->192.168.10.0'.
Hi,
i've just tried your guide, but i'm unable to get any result.
I see some traffic (tcpdump) coming from ossec server to my graylog server, but nothing is stored in databse. I get this log message error on every new ossec message :
2017-05-10T10:45:36.165+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=09413af2-355d-11e7-80da-001a4a304c75, journalOffset=87044594, codec=CEF, payloadSize=490, timestamp=2017-05-10T08:45:36.159Z, remoteAddress=/10.3.1.1:49166} java.lang.IllegalArgumentException: Invalid format: "May 10 10:45:31" at org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:945) ~[graylog.jar:?] at org.joda.time.DateTime.parse(DateTime.java:160) ~[graylog.jar:?] at org.graylog.plugins.cef.parser.SyslogCEFParser.parse(SyslogCEFParser.java:38) ~[?:?] at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:59) ~[?:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:79) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Please could you help me?