Skip to content

/ graylog-plugin-cef

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Could not parse timestamp" with OSSEC CEF Format #23

Closed
dmuntean opened this issue Nov 6, 2017 · 3 comments
Closed

"Could not parse timestamp" with OSSEC CEF Format #23

dmuntean opened this issue Nov 6, 2017 · 3 comments
Assignees
@joschi
Labels
bug
Milestone
2.4.0

Comments

@dmuntean
Copy link

@dmuntean dmuntean commented Nov 6, 2017
edited by joschi

Hi guys,

I've been using graylog-plugin-cef version 1.1.1 with graylog version 2.1 to capture OSSEC version 2.9 logs in CEF format, and everything was working perfectly.

I updated graylog to version 2.3 and had to install graylog-plugin-cef version 2.3.0-beta.4. Unfortunately, this plugin no longer works, the messages can't be parsed anymore. The graylog log file contains following error for every message OSSEC is sending:

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225} on input <59ffa6170ff9947a446c4b7b>.

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225}
java.lang.IllegalStateException: Could not parse timestamp. 'Nov  6'
        at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:120) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:108) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:92) ~[?:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

I also couldn't find how to configure OSSEC to send timestamp in any different format.

Is there a way to configure the expected timestamp with CEF input?
@joschi
Copy link
Contributor

@joschi joschi commented Nov 6, 2017

@dmuntean Please attach a complete message generated by OSSEC 2.9 so we can test our implementation against it.
@joschi joschi added the needs-input label Nov 6, 2017
@dmuntean
Copy link
Author

@dmuntean dmuntean commented Nov 13, 2017
edited

Please find the full message below.

<132>Nov 13 13:17:41 CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.9.2|1002|Unknown problem somewhere in the system.|2|dvc=log cs1=(proxy) any->/var/log/syslog cs1Label=Location classification= syslog,errors, msg=Nov 13 13:17:39 proxy tinyproxy[26954]: readbuff: recv() error "Connection reset by peer" on file descriptor 6
joschi pushed a commit to graylog-labs/cef-parser that referenced this issue Nov 15, 2017
Jochen Schalanda
Add extrawurst for OSSEC 🌭
Unverified
No user is associated with the committer email.
Learn about signing commits
Loading status checks…
39e2fed 
Refs Graylog2/graylog-plugin-cef#23
joschi pushed a commit that referenced this issue Nov 15, 2017
Jochen Schalanda
Upgrade to CEF parser 0.0.1.10
Unverified
No user is associated with the committer email.
Learn about signing commits
Loading status checks…
cf2bc52 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
@joschi joschi added this to the 2.4.0 milestone Nov 15, 2017
@joschi joschi added bug and removed needs-input labels Nov 15, 2017
@joschi joschi self-assigned this Nov 15, 2017
@joschi joschi mentioned this issue Nov 15, 2017
Merged
@joschi joschi closed this in #24 Nov 15, 2017
joschi added a commit that referenced this issue Nov 15, 2017
@joschi
Upgrade to CEF parser 0.0.1.10 (#24)
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
b12ac0e 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
joschi added a commit that referenced this issue Nov 15, 2017
@joschi Jochen Schalanda
Upgrade to CEF parser 0.0.1.10 (#24)
Unverified
No user is associated with the committer email.
Learn about signing commits
Loading status checks…
8b09f97 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
joschi added a commit that referenced this issue Nov 15, 2017
@joschi Jochen Schalanda
Upgrade to CEF parser 0.0.1.10 (#24)
Unverified
No user is associated with the committer email.
Learn about signing commits
Loading status checks…
4635cee 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
joschi added a commit that referenced this issue Nov 15, 2017
@joschi Jochen Schalanda
Upgrade to CEF parser 0.0.1.10 (#24)
Unverified
No user is associated with the committer email.
Learn about signing commits
Loading status checks…
deb9d1c 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
@marcRBD
Copy link

@marcRBD marcRBD commented Jun 21, 2018

hello
i find again the same bug in graylog 2.4.5-1

java.lang.IllegalStateException: Could not parse timestamp. 'Jun 21 14:18:06'

thanks
@marcRBD marcRBD mentioned this issue Jun 21, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joschi joschi

Labels
bug
Projects
None yet
Milestone
2.4.0
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@joschi @dmuntean @marcRBD