search

Graylog2 / graylog-plugin-cef

[DEPRECATED] CEF (Common Event Format) input plugin for Graylog
https://www.graylog.org/
Apache License 2.0
10 stars 10 forks source link

Could not parse timestamp. with ossec same as #23 #28

Open marcRBD opened 6 years ago

marcRBD commented 6 years ago

hello i find again the same bug in graylog 2.4.5-1

java.lang.IllegalStateException: Could not parse timestamp. 'Jun 21 14:18:06'

Same as: https://github.com/Graylog2/graylog-plugin-cef/issues/23 thanks

jalogisch commented 6 years ago

@marcRBD could you please share one full message with us. This will help us to identify the issues the parser might have.

thank you

marcRBD commented 6 years ago

Hello a message as decoded in wireshark

<132>Jun 21 13:41:36 CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.9.2|5710|Attempt to login using a non-existent user|5|dvc=ossec-hids-test- cs1=ossec-hids-test-->/var/log/auth.log cs1Label=Location classification= syslog,sshd,invalid_login,authentication_failed, src=::1 shost=::1 cs4Label=SrcCity cs4=Unknown (4) msg=Jun 21 13:41:35 ossec-hids-test- sshd[11756]: Invalid user test from ::1

Thanks

Speirs47 commented 4 years ago

I've got the same issue on graylog 3.3.5 java.lang.IllegalStateException: Could not parse timestamp. 'Aug 19 11:17:33'

Message: 2>Aug 19 11:17:33 CEF:0|OSSEC Foundation|OSSEC HIDS|v3.6.0|503|Ossec agent started.|3|dvc=nrv02 classification= ossec, msg=ossec: Agent started: 'norm16->192.168.10.0'.

elanfer commented 3 years ago

Hi, I'm having the same issue. Running Graylog 4.2.1

The issue occurred today, with starting the new month, interestingly it worked through November… A message where the exception will be thrown looks like this:

<132>Dec  1 13:06:15 CEF:0|OSSEC Foundation|OSSEC HIDS|v3.6.0|5710|[...]

As you can see it occurs, when parsing CEF messages that were generated by OSSEC (v3.6.0), I'm not much into this standard, but probably their date format isn't conform? Or is this an issue with the CEF parser integrated in Graylog?

The exact error:

2021-12-01T14:02:12.297+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=e6447e60-52a6-11ec-ad0c-00163e1100a0, messageQueueId=4032168, codec=CEF, payloadSize=408, timestamp=2021-12-01T13:02:12.294Z, remoteAddress=/131.173.17.112:57074}
java.lang.IllegalStateException: Could not parse timestamp. 'Dec  1 13:02:07'
        at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:114) ~[graylog.jar:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) ~[graylog.jar:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:153) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:94) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:95) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:49) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]

Thank you!

Edit: Just looked it up, it seems that OSSEC is sending proper CEF messages (c.f. https://raffy.ch/blog/wp-content/uploads/2007/06/CEF.pdf)

elanfer commented 3 years ago

Never mind! I solved the issue, the problem was a wrong system locale... (German it expected Dez instead of Dec in data parsing) Changing the locale to en_US.utf8 solved the problem for me.