/graylog-plugin-cef

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Could not parse timestamp" with OSSEC CEF Format #23

Closed
dmuntean opened this Issue Nov 6, 2017 · 3 comments

Comments

Assignees

@joschi joschi

Labels
bug
Projects
None yet
Milestone
  2.4.0
3 participants
@dmuntean @joschi @marcRBD
@dmuntean

dmuntean commented Nov 6, 2017
edited by joschi

Hi guys,

I've been using graylog-plugin-cef version 1.1.1 with graylog version 2.1 to capture OSSEC version 2.9 logs in CEF format, and everything was working perfectly.

I updated graylog to version 2.3 and had to install graylog-plugin-cef version 2.3.0-beta.4. Unfortunately, this plugin no longer works, the messages can't be parsed anymore. The graylog log file contains following error for every message OSSEC is sending:

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225} on input <59ffa6170ff9947a446c4b7b>.

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225}
java.lang.IllegalStateException: Could not parse timestamp. 'Nov  6'
        at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:120) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:108) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:92) ~[?:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

I also couldn't find how to configure OSSEC to send timestamp in any different format.

Is there a way to configure the expected timestamp with CEF input?
@joschi

This comment has been minimized.

Sign in to view
Contributor

joschi commented Nov 6, 2017

@dmuntean Please attach a complete message generated by OSSEC 2.9 so we can test our implementation against it.

@joschi joschi added the needs-input label Nov 6, 2017

@dmuntean

This comment has been minimized.

Sign in to view

dmuntean commented Nov 13, 2017
edited

Please find the full message below.

<132>Nov 13 13:17:41 CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.9.2|1002|Unknown problem somewhere in the system.|2|dvc=log cs1=(proxy) any->/var/log/syslog cs1Label=Location classification= syslog,errors, msg=Nov 13 13:17:39 proxy tinyproxy[26954]: readbuff: recv() error "Connection reset by peer" on file descriptor 6

joschi added a commit to graylog-labs/cef-parser that referenced this issue Nov 15, 2017

@joschi
Add extrawurst for OSSEC 🌭 
Refs Graylog2/graylog-plugin-cef#23
Unverified
The committer email address is not verified.
Learn about signing commits
Loading status checks…
39e2fed

joschi added a commit that referenced this issue Nov 15, 2017

@joschi
Upgrade to CEF parser 0.0.1.10 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
Unverified
The committer email address is not verified.
Learn about signing commits
Loading status checks…
cf2bc52

@joschi joschi added this to the 2.4.0 milestone Nov 15, 2017

@joschi joschi added bug and removed needs-input labels Nov 15, 2017

@joschi joschi self-assigned this Nov 15, 2017

@joschi joschi referenced this issue Nov 15, 2017

Merged

Upgrade to CEF parser 0.0.1.10 #24

@joschi joschi closed this in #24 Nov 15, 2017

joschi added a commit that referenced this issue Nov 15, 2017

@joschi
Upgrade to CEF parser 0.0.1.10 (#24) 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
b12ac0e

joschi added a commit that referenced this issue Nov 15, 2017

@joschi
Upgrade to CEF parser 0.0.1.10 (#24) 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
Unverified
The committer email address is not verified.
Learn about signing commits
Loading status checks…
8b09f97

joschi added a commit that referenced this issue Nov 15, 2017

@joschi
Upgrade to CEF parser 0.0.1.10 (#24) 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
Unverified
The committer email address is not verified.
Learn about signing commits
Loading status checks…
4635cee

joschi added a commit that referenced this issue Nov 15, 2017

@joschi
Upgrade to CEF parser 0.0.1.10 (#24) 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
Unverified
The committer email address is not verified.
Learn about signing commits
Loading status checks…
deb9d1c
@marcRBD

This comment has been minimized.

Sign in to view

marcRBD commented Jun 21, 2018

hello
i find again the same bug in graylog 2.4.5-1

java.lang.IllegalStateException: Could not parse timestamp. 'Jun 21 14:18:06'

thanks

@marcRBD marcRBD referenced this issue Jun 21, 2018

Open

Could not parse timestamp. with ossec same as #23 #28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment