New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Could not parse timestamp" with OSSEC CEF Format #23

Closed
dmuntean opened this Issue Nov 6, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@dmuntean

dmuntean commented Nov 6, 2017

Hi guys,

I've been using graylog-plugin-cef version 1.1.1 with graylog version 2.1 to capture OSSEC version 2.9 logs in CEF format, and everything was working perfectly.

I updated graylog to version 2.3 and had to install graylog-plugin-cef version 2.3.0-beta.4. Unfortunately, this plugin no longer works, the messages can't be parsed anymore. The graylog log file contains following error for every message OSSEC is sending:

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225} on input <59ffa6170ff9947a446c4b7b>.
2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225}
java.lang.IllegalStateException: Could not parse timestamp. 'Nov  6'
        at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:120) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:108) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:92) ~[?:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

I also couldn't find how to configure OSSEC to send timestamp in any different format.

Is there a way to configure the expected timestamp with CEF input?

@joschi

This comment has been minimized.

Contributor

joschi commented Nov 6, 2017

@dmuntean Please attach a complete message generated by OSSEC 2.9 so we can test our implementation against it.

@joschi joschi added the needs-input label Nov 6, 2017

@dmuntean

This comment has been minimized.

dmuntean commented Nov 13, 2017

Please find the full message below.

<132>Nov 13 13:17:41 CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.9.2|1002|Unknown problem somewhere in the system.|2|dvc=log cs1=(proxy) any->/var/log/syslog cs1Label=Location classification= syslog,errors, msg=Nov 13 13:17:39 proxy tinyproxy[26954]: readbuff: recv() error "Connection reset by peer" on file descriptor 6

joschi added a commit to graylog-labs/cef-parser that referenced this issue Nov 15, 2017

joschi added a commit that referenced this issue Nov 15, 2017

Upgrade to CEF parser 0.0.1.10
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

@joschi joschi added this to the 2.4.0 milestone Nov 15, 2017

@joschi joschi added bug and removed needs-input labels Nov 15, 2017

@joschi joschi self-assigned this Nov 15, 2017

@joschi joschi closed this in #24 Nov 15, 2017

joschi added a commit that referenced this issue Nov 15, 2017

Upgrade to CEF parser 0.0.1.10 (#24)
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

joschi added a commit that referenced this issue Nov 15, 2017

Upgrade to CEF parser 0.0.1.10 (#24)
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)

joschi added a commit that referenced this issue Nov 15, 2017

Upgrade to CEF parser 0.0.1.10 (#24)
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)

joschi added a commit that referenced this issue Nov 15, 2017

Upgrade to CEF parser 0.0.1.10 (#24)
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
@marcRBD

This comment has been minimized.

marcRBD commented Jun 21, 2018

hello
i find again the same bug in graylog 2.4.5-1

java.lang.IllegalStateException: Could not parse timestamp. 'Jun 21 14:18:06'

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment